SQL UNION INSERT

I have found a vulnerability within a website and I am trying to figure out how I would be able to exploit it. The vulnerability is that the user input is used as part of a SELECT query, the query is performed and then the user input is validated (so the designer wrote the validation in the wrong place). If the user input isn't numeric it kills the script (die() in php) so I can't do a UNION SELECT and try and gather more information from the database as it wont be displayed.

I was wondering whether there is any way that people know of which something like UNION INSERT could be performed (I dont believe it is possible to do an actual UNION INSERT) or some other SQL which would allow for me to exploit the vulnerability.

Thanks for any suggestions in advance

Satal :)

might be able to help but need to know the site to get a better understanding

The code which is used in the website is

{
  global $querycounter, $syslog;
  $sql = mysql_query($query) or $syslog->dolog(1, mysql_error()." - ".$query);
  if ($sql)
  {
    $querycounter++;
    return $sql;
  }
  else
  {
    return false;
  }
}

$data = dbquery("SELECT * FROM ".DB_PREFIX."custompages WHERE page_id=".$_GET['id']) or die(mysql_error());

if(!is_numeric($_GET['id']) || @dbrows($data) == 0)
{
  $error->DisplayError(11, false);
}```

So as you can see the query uses the user input before it is validated, but when it is validated it stops any information being shown.

So any suggestions?
Recommended websites with information which would be of use if possible :D

Satal Keto wrote: So any suggestions? Recommended websites with information which would be of use if possible :D

Research the is_numeric PHP function. Recommended websites: PHP.Net and Google.

What are you talking about? Please read the code again, taking special special notice of the fact that the query is run before the user input is validated. I am not trying to get information back form the database (because I can't), I am trying to find out if there is any way to get the database to for example insert a row into a table.

Satal Keto wrote: What are you talking about? …the query is run before the user input is validated. …when it is validated it stops any information being shown. …I am not trying to get information back form the database (because I can't)

The question is: What are you talking about? You don't want to get information back from the database… at all? It's possible… you just give up too quickly on that.

I am trying to find out if there is any way to get the database to for example insert a row into a table.

sigh Yes, I'm sure. Just add a SQL INSERT statement as a second statement in the GET variable (separating it from the first one, of course), then put a comment at the end of the second statement to truncate the first.

http://www.hellboundhackers.org/forum/sql_injection_full_guide-15-10736_0.html

@Zephyr_Pure Ok fine I gave up too quickly on that but to the best of my knowledge there is no way that any information can be gathered from the database, if you can provide links to sites with explanations about how it can be done then I would be greatful, but im pretty sure that it can't be done because any SQL will not be a valid number it will fail the if statment (well pass as its !is_numeric) and have the script killed with a default respose (not a mysql error message). Even trying to get a error out of the mysql database wouldn't work because the dbquery, catches the errors and then saves them to the database and prints out a default error message (not the mysql one).

@Mr_Cheese Thank you but I had already read it and it doesn't provide information relevant to this situation as far as I am aware. If you can point me at some part of your post which is relevant to this situation then i will apologize but as I have said above as far as I am aware there is no way that I can get information back as the script is killed before any output is given.

Satal Keto wrote: @Zephyr_Pure to the best of my knowledge there is no way that any information can be gathered from the database, if you can provide links to sites with explanations about how it can be done then I would be greatful, but im pretty sure that it can't be done because any SQL will not be a valid number it will fail the if statment (well pass as its !is_numeric)

I told you what to do in my first post. Research it on your own, or fucking fail. I'm sick of having to spell out shit for you lazy people that don't want to do the work. If you can't get any information from the database, I really don't give a shit. My help is free, just like everyone else's here.

@Zephyr_Pure Please try and keep this conversation pleasant theres no need for language like that.

I never once asked for someone to tell me what I need to put in the $_GET['id'] in order to hack the website! I asked about anyway to add an INSERT query to a SELECT query. Which you did provide some advice in your second post.

Zephyr_Pure wrote: Just add a SQL INSERT statement as a second statement in the GET variable (separating it from the first one, of course), then put a comment at the end of the second statement to truncate the first.

After which I responded to the first statement within your second post saying that I had given up too quickly on trying to get information from the data. My response merely said about how I didn't see anyway in which I would be able to get information from, and I asked if you knew of any website which had information about this so that I could read up on this and learn. Now I admit I probably should have written a thanks for the advice, but I had an exam this morning and I wanted to respond before I left to go to the exam and forgot.

If asking on the forums of HBH for suggestions of websites which would help me to learn/understand how to exploit the vulnerability is frowned upon…

Zephyr_Pure wrote: Research it on your own, or fucking fail. then the parts of the forum to do with hacking might as well be removed.

Satal Keto wrote: I never once asked for someone to tell me what I need to put in the $_GET['id'] in order to hack the website! …My response merely said about how I didn't see anyway in which I would be able to get information from, and I asked if you knew of any website which had information about this so that I could read up on this and learn.

I stripped out the useless portions of your previous post so that you, as I did, can see you contradicting yourself. You didn't ask… then, you merely asked…

@Zephyr_Pure Please try and keep this conversation pleasant theres no need for language like that.

If asking on the forums of HBH for suggestions of websites which would help me to learn/understand how to exploit the vulnerability is frowned upon, then the parts of the forum to do with hacking might as well be removed.

This conversation isn't going to be pleasant or otherwise. This conversation is over. You have obviously confused "suggestions" and "help", in regards to the forums, for "spoon-feeding". I did give you a suggestion on how to exploit the vulnerability; you're just too lazy to research it. If you don't figure out how to learn on your own when given help, then you will be a failure and shouldn't even be here.

Oh, and for the record… I will use whatever fucking language I please, thank you.

Zephyr_Pure wrote: This conversation is over. Since this conversation is over (which means you shall not be responding anymore) I shall say thank you for what input you have given, I will look at how I ask questions from now on to ensure they are not mistaken for asking to be spoon-fed, which I am not interested in.

@Everyone else Does anyone else have any suggestions on sires which would give information regarding useful SQL commands which might be of use, please do not provide detailed responses but I welcome being pointed in the right direction so I may research and learn for myself

;)