mysqlsqlsql-insertstackedsqlmap

SQLMAP - how to insert into a database if stacked queries are not possible on a MYSQL server?


Pulling database tables and columns works fine using SQLMAP, but as I try to execute an INSERT statement I get the following error:

query:

sqlmap -u "http://www.example.com/details.php?item_id=327" -D main_db -T orders --columns --sql-query \ "INSERT INTO orders (order) VALUES ('test')"


Table:orders

+---------+----------+
| Column  | Type     |
+---------+----------+
| order   | longtext |
| data    | date     |
| timp    | time     |
+---------+----------+

[22:47:50] [WARNING] execution of custom SQL queries is only available when stacked queries are supported
 INSERT INTO orders (order) VALUES ('test'):    None
[22:47:50] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.example.com'

Is there any workaround for altering the database using SQLMAP on a MYSQL server?


Solution

  • Most databases do not allow you to just insert data using SQL Injection (Unless of course you are already in an insert query and even then you usually can't control the table name). You can't simply stack queries, that is only allowed in Microsoft SQL Server, PostgreSQL and comic books. You can use a sub-select or union select to access data from another table, and SQLMap is doing this behind the scenes.

    SQLMap's real strength is in data exfiltration. If you want something more complex, like a multi-staged attack that gives you a shell, then you need to write an exploit. Take off the training wheels and be man (or woman).

    Answer shamefully copied from here