MySQL doesn't support stacked querys, unfortunately you can't stack querys like postgresql, mssql, ...
On Tue, Jul 20, 2010 at 7:09 PM, Michael McGrew <[email protected]> wrote: > If you can inject SQL could you end the query with ; then start a new > select query where you use INTO OUTFILE? > > This is why it's not working: > "An INTO clause should not be used in a nested SELECT because such a > SELECT must return its result to the outer context. " > http://dev.mysql.com/doc/refman/5.0/en/select.html > > > > On Tue, Jul 20, 2010 at 2:23 PM, Robin Wood <[email protected]> wrote: >> I sent this to the webappsec mailing list but thought I'd send it here >> as well looking for some SQL Injection experts. >> >> >> ---------- Forwarded message ---------- >> >> I've got a vulnerable web app with a MySQL backend where I can inject >> into an INSERT query and I want to create a file. With a SELECT I >> would use a UNION and then SELECT whatever INTO OUTFILE "filename" but >> how do you do it with an INSERT query? >> >> I tried: >> >> INSERT INTO size VALUES (22, (SELECT "abc" INTO OUTFILE "/tmp/test")) ; >> >> That executes and size gets a new row with 22 and "abc" in it but it >> doesn't create the file. >> >> I also tried an UPDATE and had the same problem: >> >> UPDATE size SET big=22 WHERE big = (SELECT "abc" INTO OUTFILE "/tmp/test"); >> >> The update happens where big="abc" but no outfile. >> >> Can it be done? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
