Reputation: 1353
Sqlite Injection with Update Subquery
I am trying to run the following query:
query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
with this 'username'
' OR username IN ((SELECT
(UPDATE users SET password_hash="hash") FROM users)) --
but i am getting this error:
OperationalError: near "UPDATE": syntax error
What am I doing wrong?
its not because of prepared statements or anything, because that query works:
' OR username IN ((SELECT username FROM users)) --
I am doing this legally on a website called stripe-ctf.com and for learning purposes.
Upvotes: 1
Views: 3879
Answers (1)
Reputation: 5092
To run multiple statements, you would normally separate them using ';', e.g.
SELECT id, password_hash, salt FROM users WHERE username = 'bob'; UPDATE users SET password_hash='hash' WHERE username='bob';
However, you won't be able to inject this; the call cursor.execute(query) on line 88 of secretvault.py won't allow you to execute multiple statements (see the documentation: execute() will only execute a single SQL statement.)
You're on right path though... I won't give out the answer, but I encourage you to look into the SQLite SELECT documentation. Try to look into ways of "forcing" the SELECT statement to return additional values.
Best of luck!
Upvotes: 2
Related Questions
- Sqlite update with inner query select
- Sqlite update not affecting all rows when using subquery
- UPDATE … FROM syntax with sub-query
- UPDATE with multiple values from subquery
- SQLite update query - subquery with aliases doesn't work
- SQL UPDATE using SELECT
- Sqlite Update query using a subquery
- SQLite update query
- UPDATE table using a subquery in SQLite
- Update statement in sqlite