SQL injection: Replace SELECT query with INSERT/UPDATE statement
Does anybody know if it is possible to use sqlmap to inject into a SQL SELECT query, which takes in POST variables from web form - to alter it to an INSERT or UPDATE statement - possible by using the --prefix and --suffix switches?
For example, is it possible to replace
With either of the following
"SELECT full_name FROM people WHERE id=$_POST['id'] AND username=$_POST['username']"
"INSERT INTO people VALUES ('0', 'Mr. Back Track', 'BT')"
If there is another way to achieve this, suggestions would be welcome. I've tried stacking queries to append an INSERT/UPDATE statement after the SELECT, but keep getting syntax errors.
"UPDATE people SET username='change' WHERE id=$_POST['id']"
Re: SQL injection: Replace SELECT query with INSERT/UPDATE statement
Unless the entire query is controllable from the parameter then no you can't morph a select into an insert or update. However, you can likely alter one or more parameters affecting the where clause of the query. Which along with various comment delimiters may allow you to remove restrictions of the where clause or chain your own query along with the select.
1) Simply assemble the HTTP request by hand and send it via netcat or telnet to the appropriate service etc.
2) Fix your syntax (keep in mind semi-colon normally delimits queries, and that you can use various comment constructs to get rid of bit on the original you don't like).
3) Alter the source code of sqlmap.