2

I am trying to use UPDATE or insert after getting victim database information, for that I am using command:

sqlmap -u somewebsite.com/id=2  --sql-shell

After that:

> sql-shell :  UPDATE username FROM ....

and I get an error everytime (also in other websites):

execution of custom SQL queries is only available when stacked queries are supported

And if I type

SELECT username FROM ...

I get correct results.

I've tried to google much about this, but no luck, if possible give me some advice to update victim's database. Thanks

grochmal
  • 5,677
  • 2
  • 19
  • 30
Samxo
  • 29
  • 3

1 Answers1

4

Now, this is... ekhm... not the best place to ask SQL syntax questions.

The UPDATE operation does not have a FROM keyword in SQL. In other words a SELECT operation looks as follows:

SELECT username FROM user_table WHERE user_id = 1;

But the UPDATE operation is:

UPDATE user_table SET username = 'myuser' WHERE user_id = 1;

(which turns to be quite different form your: UPDATE username FROM ...)

So yeah, sqlmap is seeing two queries: an UPDATE (thanks to the UPDATE keyword) and a SELECT (thanks to the FROM keyword). Most SQL injections do not allow for stacked (multiple) queries. See this question about the availability of stacked queries in SQL injections.

Community
  • 1
grochmal
  • 5,677
  • 2
  • 19
  • 30