Daggy
18-04-09, 20:27
Hey dudes...
I found out, that I can inject my own code in some sites function to updates his own profile.
It does: Update table Set email='newemail' Where user='id';
The value newemail is send to the server by POST.
I saw that it is not filtered so I postet the value newemail', adminlevel='3
and wuuuh, I was admin :) -> Update table Set email='newemail', adminlevel=3' Where user='id';
So what I want to ask is, is it possible to change values in other tables even in other databases (of course on same server^^)? I thought of something like the union select thing but in order to the update-statement.
Thx for you're help! :D
I found out, that I can inject my own code in some sites function to updates his own profile.
It does: Update table Set email='newemail' Where user='id';
The value newemail is send to the server by POST.
I saw that it is not filtered so I postet the value newemail', adminlevel='3
and wuuuh, I was admin :) -> Update table Set email='newemail', adminlevel=3' Where user='id';
So what I want to ask is, is it possible to change values in other tables even in other databases (of course on same server^^)? I thought of something like the union select thing but in order to the update-statement.
Thx for you're help! :D