We have an exercise and are struggling to come up with a sql injection to find more data from the database in mySQL.
Here is how far we have got:
mySQL webpage result
In the above picture you can see we have managed to get the database to divulge the userid, user and passwd values.
To achieve this we have typed:
admin' --
in the login box
Then:
' union select table_name from information_schema.tables --
in the password box
However, this is not the entire goal of the exercise. We must discover the databases and tables that are available.
We are unsure why the response is not taking into account our query union select table_name from information_schema.tables.
Here is an example of what the response is if nothing is typed in either login or password box:
default mySQL webpage
Our tasks:
enumerate available tables in the database
find username with userid of 3 (done - right?)
find a table containing md5 hashes
Could someone point us in the right direction?
Why isnt our select table_name from information_schema.tables working?
UPDATE: we managed to get 238 rows returned after restructuring our initial query in the first login box to:
admin’ union select table_name,2,3 from information_schema.tables -- -
The fix: the amount of columns have to match between first select query and union select query.
You'll probably have to put the entire injection in the username box. At the moment the -- after the admin' in the login input is commenting the rest of the query.
i.e. The login box should contain admin' UNION SELECT table_name FROM information_schema.tables --
You may need to select padding columns from information_schema.tables as there is no way to tell how many columns the users table has.
Related
I am trying to get the table names and other relevant information with sql injection. The idea was to use a sqli union attack, to get that information from information_schema and then get the content of the tables.
To achieve that, I fisrt try to get the number of columns the query was returning this way:
?parameter=111 or 1=1 union select NULL,NULL,NULL,NULL--
I reached the conclusion that the query was returning 4 columns(all of them are strings), and the next step would be to get that information like this
?parameter=111 or 1=1 union select group_concat(table_name),2,3,4 from information_schema.tables where table_schema=database()
But this does not work, if I remove the where clause it does not work either, or with other tables.
Is like when I add the "from" it stops working.
Why is this? How can I get the table names?
PD: I also tried
?parameter=111 or 1=1 0>ASCII(substring(SELECT table_name from information_schema.tables,1,1))
but it always return false, regardless the value of what value I compare it to.
I want to select the nth element of the table list provided by the SHOW TABLES query.
If I use the following code to list them alphabetically:
WITH tableslist as (SHOW TABLES)
SELECT Tables_in_DBname FROM tableslist ORDER BY Tables_in_DBname
I get an error regarding the syntax near 'SHOW TABLES).
If I only do the SHOW TABLES query I get a table with the column Tables_in_DBname.
The main goal of this would be to populate a checkbox in VBA with the table names in the database, so in case I am looking in the completely wrong direction to go about this please correct me.
I am able to populate the cbo with the fields of specific tables, but I could not find a way to list the tables from the database as fields, so I am attempting to make an ordered list to select the nth element from.
The server type is MariaDB.
You can use information_schema.tables to get the list of tables:
SELECT table_name FROM information_schema.tables
WHERE table_schema = '<name of database>' ORDER BY table_name;
This allows you to build more complex queries that inspect the tables in the database.
I'm working through an SQL injection tutorial. I don't understand one aspect of an SQL statement which is used determine where the different columns in the table will be displayed on the web page and then used to execute statements. A previous SQL injection statement has been used to determine the number of columns in the table, which is 6. The SQL statement is
SELECT * FROM TableName Where id=12 union all select 1,2,3,4,5,6
I've researched the SELECT and UNION ALL statements and haven't been able to work out what is actually going on. My thinking is that the numbers in the 2nd select statement respresent the column numbers.
The second statement used to get the values from the table is:
SELECT * FROM TableName Where id=12 union all select 1,2,3,4,user(),6
What does the select 1,2,3,4,5,6 and select 1,2,3,4, user(),6 component of the SQL injection query actually do?
They are not column numbers but values. Assuming you can somehow inject the statement you now need something to do with it. The first example counts the columns. theUNION will fail when there are not enough columns. By adding more columns to the UNION eventually the statement will execute. Now you know how many columns there are.
The second one is injecting the user into the return result set. Assuming the result set gets displayed on the screen for some reason, you now have a user name (or service account name) with which to execute more statements on your database, escalate privileges or make service calls.
It's doing something like that. Without knowing more it's hard to know what exactly.
I'm starting to freak out because I seem to have a phantom table... it's not showing up in Navicat however if I run these two queries:
SELECT count(*) from messages;
SELECT count(*) from Messages;
I get two different sets of results!
However, the weird thing is if i run show tables I only see one table called messages
This freaks me out because i have no clue if data is going to mistakenly get throwing into the incorrect table Messages
Has anyone ever seen this before?
I'm not sure what to do.
Per Request
After running show table status like 'messages';
messages InnoDB 10 Compact 224163 222 49889280 0 53608448 8388608 208683 2014-08-23 20:16:11 latin1_swedish_ci
One more update
I've ran both:
SELECT * FROM information_schema.tables WHERE table_name = 'Messages';
SELECT * FROM information_schema.tables WHERE table_name = 'messages';
It's showing multiple records with different record counts
The scary part is I ran the same query for other tables in the database and all the other tables i tested with the same technique had the same problem.
It's as if I have two copies of each table, one with a capital first letter, the other with a lowercase, and it seems that the lowercase is the "freshest" of the two.
I'd recommend you check for the table using a query of information_schema.tables.
SELECT * FROM information_schema.tables WHERE table_name = 'Messages';
Also consider the possibility that someone created a view.
SELECT * FROM information_schema.views WHERE table_name = 'Messages';
There's a MySQL variable lower_case_tables_names that has an effect; the default value for this variable depends on the OS (Linux, Windows, OS X). (We have that explicitly set to 1 on our MySQL systems.) According to the reference manual:
"If you are using InnoDB tables, you should set this variable to 1 on all platforms to force names to be converted to lowercase."
(This section of the manual is does not describe the behavior you'd observe with InnoDB tables if this variable were set to something other than 1.)
Ref: http://dev.mysql.com/doc/refman/5.5/en/server-system-variables.html#sysvar_lower_case_table_names
Is it possible to retrieve the count of the number of columns a query returns? This can be easily done with a bound scripting language such as php, but I'm looking for db only solution.
Example:
CountCols(SELECT 'a','b','c')
=> 3
CountCols(SELECT * FROM information_schema.session_variables)
=> 2
Would this work for you?
select
count(*)
from
`information_schema`.`columns`
where
`table_schema` = 'my_table_schema' and `table_name` = 'my_table_name';
You only need to use table_schema if the table name exists in more than one database.
Based on your response comment, you are looking to count a dynamic number of columns. You may be able to do this with a temporary table, but you cannot access the data of a temporary table without possibly installing a patch.
Of note, there is a similar outstanding SO question asking how to select columns from a temporary table.
Well if you want to know the columns in a table just do:
DESCRIBE `table_name`
Otherwise there is no "real" way to get the number of columns in a select query since other than selecting * you select certain columns --> so you will know how many columns you are selecting.
You'll find your answer here most likely: http://dev.mysql.com/doc/refman/5.0/en/columns-table.html
Write a query off of that that takes a table name param and then query for columns of that table and sum that up.