If you can inject SQL could you end the query with ; then start a new select query where you use INTO OUTFILE?
This is why it's not working: "An INTO clause should not be used in a nested SELECT because such a SELECT must return its result to the outer context. " http://dev.mysql.com/doc/refman/5.0/en/select.html On Tue, Jul 20, 2010 at 2:23 PM, Robin Wood <[email protected]> wrote: > I sent this to the webappsec mailing list but thought I'd send it here > as well looking for some SQL Injection experts. > > > ---------- Forwarded message ---------- > > I've got a vulnerable web app with a MySQL backend where I can inject > into an INSERT query and I want to create a file. With a SELECT I > would use a UNION and then SELECT whatever INTO OUTFILE "filename" but > how do you do it with an INSERT query? > > I tried: > > INSERT INTO size VALUES (22, (SELECT "abc" INTO OUTFILE "/tmp/test")) ; > > That executes and size gets a new row with 22 and "abc" in it but it > doesn't create the file. > > I also tried an UPDATE and had the same problem: > > UPDATE size SET big=22 WHERE big = (SELECT "abc" INTO OUTFILE "/tmp/test"); > > The update happens where big="abc" but no outfile. > > Can it be done? > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
