Hi, I am doing a mysql injection on a site (for educational purpose i promise hehe), now, It uses mysql as its database, I cannot do: "; UPDATE..." so my question is, if i do: "OR id=(update...)".. as a subquery, that of course doesn't make any sense yet will it execute the update on the table i choose?
+1
A:
Your success or failure will depend on a number of factors. The first major hurdle you face is whether or not you "friend" was smart enough to use PHP for his database inputs and use the line mysql_real_escape_string which will prevent you from sending any commands through his textboxes and/or other input areas.
http://php.net/manual/en/function.mysql-real-escape-string.php
Your second major hurdle after determining that mysql_real_escape_string has not been used is to determine the true name of the table you want to update. I personally never expose my true database names to the web, I use pseudo names which represent the true names.
If you have succeeded this far you should be able to manipulate the MYSQL server in any way you see fit.
Check out this link for more helpful tips. I have never utilized any of these techniques in a manner other than testing my own MYSQL servers for vulnerabilities.
http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
Michael Eakins
2010-10-02 11:01:23
Hi, He's using magic quotes. I know that if I get the name of the tables i can execute an update. My question was whether I could embed an update query inside a select. Say for example: Select * from Users where id=(Update users set id=5 where name="hi") .. Now i know that query doesn't make any sense, I was just wondering if the update query executes succesfully and does indeed update a record even when the select consult is invalid
2010-10-05 04:48:48