The following is a textbook sql injection example:
SELECT id FROM table WHERE username = '$username' AND password = '$password'
if your site doesn't protect against sql injection you can simply send in password = anything' OR 'x'='x as the input and login without a password. easy.
attacker can also pass in '; DROP TABLE table; to drop the table from the db. And of course if the sql connection does have DROP permission than it will not work. Also attackers probably want to get more benefits by doing something other than simply dropping your table.
So the question is can the attackers carry out attacks to do UPDATE on table, get the structure on all tables, list tables or db by only attacking this vulnerability?
p.s: not that I want to use it to attack people but I am kinda curious what could happen at worst on my db..
Potentially, sure. If you can inject a DROP TABLE table; into the SQL statement that is executed, you could just as easily inject an UPDATE statement that modified whatever rows of whatever tables you'd like. You can also frequently add or modify a SELECT statement to show you information that you're interested in. For example, if you have a query like
select name
from people
where person_id = '$person'
you could inject something like
anything` union all select table_name from information_schema.tables
to produce a statement like
select name
from people
where person_id = 'anything'
union all
select table_name
from information_schema.tables
to show you all the tables. You can do the same sort of thing to get a list of columns in the tables and then start running queries to see what data is in the various tables.
Related
I have about 50 WordPress databases on a server. I need to quickly pull all values for admin_email from the wp_options table across each database.
What I'm hoping for is something like:
-- psuedocode, not sure how to correctly format something like this
foreach database in database_names
SELECT `option_value` FROM `wp_options`
WHERE `option_name`='admin_email';
I'm not sure how to go about this. I saw other questions recommending using the information_schema table, but all of my schemata.schema_name values are in the format of 'db_structure.php?db=db_name&token=some_token' --- I'm not sure if this is expected, and if so, how one would go about looping through each database name.
I'm using phpMyAdmin as my DB administration tool.
you can occupy a query in sql that returns you all list with UNION
SELECT email FROM dbo.tbname1
UNION
SELECT email FROM dbo.tbname2
UNION
SELECT email FROM dbo.tbname3
I have a database that contains a table per client, each table has the same columns in them. We're talking a few thousand client tables.
I need to add new columns to each of these tables for new development but cannot find a way to recurse all the tables in the database to add the columns. I know MS SQL has something sp_MSforeachtable which does maybe what I'm asking but I don't know if MySQL has anything similar?
As per this previous answer in SO you could do something like this :
select concat('ALTER TABLE `',table_name,'` ADD `test` INT NOT NULL AFTER `column_x`;')
from information_schema.tables
where table_schema = 'your_db_name'
Then remove the few tables not about client (here's hoping client is the only entity to have "private table") or if possible add a condition on the table_name (like AND table_name LIKE "client_%"), and execute the whole batch.
The 2nd solution, to use procedure, is too complex (for me) for this use case, but maybe someone more skilled than me in PLSQL won't agree.
I'm rather new at database management, so this might not be feasible, but I got a handful of SQL select queries, rather long ones at that. What I'd like is to get the table column names and structure, without access to the actual database, so as to get a map of all this queries.
context: All we have are the queries used to output tables that will be given to us latter.
This need not be done with actual SQL code, maybe a short script in other language or a utility somebody knows of (but I do have MySQL workbench)
You can add a CREATE TABLE statement in front of your select queries to get the column names.
You cannot infer data types or keys from select queries.
For column names do something like:
drop table if exists your_table_name;
create table your_table_name
select *
from ...
where the select * portion is replaced by the select queries you have.
Then to see the column names in a friendlier way you can do:
show create table your_table_name;
or
desc your_table_name;
I have the following problem. I have Table A and would like to join to table B if table B exists. Can this be done? I am only writing SQL in WorkBench to try achieve it.
I am aware I cannot use the EXISTS option as I have tried typing it out but it prompts for an error.
Any suggestions would be greatly appreciated.
Thanks.
I managed to do this using EXECUTE, so using a query that is only prepared at runtime:
SET #sqlCommand = IF(
EXISTS (SELECT column_name FROM information_schema.columns WHERE table_schema = '{{yourschemaname}}' AND table_name = '{{yourtablename}}' AND column_name = '{{yourcolumnname}}'),
'SELECT \'Yes! Good to go!\' as ColumnExists',
'SELECT \'Nope!\' as ColumnExists');
PREPARE executable FROM #sqlCommand;
EXECUTE executable;
Note that the two selects at the center (Yes!/No!) are the custom statements that are to be executed conditionally. So if the column exists, the first command is executed (select 'yes!'), otherwise the second one (select 'nope').
I got the hint from this discussion here.. have a look if you're looking for the MSSQL equivalent: https://ask.sqlservercentral.com/questions/97579/check-if-table-exists-in-join.html
Data manipulation language statements are typically written for a specific schema; you are assumed to know what the schema looks like when you issue the statement. So you don't generally have the capacity to ask whether a particular schema object exists or has a particular structure. You could however write a stored procedure that did different things depending upon the schema. You have the ability in a stored procedure to use conditional statements and to look in INFORMATION_SCHEMA.
I need to demonstrate SQL Inject using PHP/MySQL. I want to inject a DROP TABLE query in a login form but it never works. (TRUNCATE table works fine OTOH).
After I input '; drop table users; # as field input; query turns out to be
SELECT * FROM `users` WHERE `email` = ''; DROP TABLE users; #' AND `password` LIKE '3232';
But it never works using mysql_query() function. When I copy/paste this query in PHPmyAdmin directly, it works perfectly and table gets dropped. What can be the issue?
MULTIPLE SQL Execution is not enabled by defaults.
So SQL Injection like ;drop table won't work. please enable multiple sql execution. this could be enabled like http://php.net/manual/en/mysqli.quickstart.multiple-statement.php if you are using mysqli.
useful SQL Injection is :
SELECT COUNT(*) FROM users
WHERE user_id = '$user_id' AND passwd = '$passwd'
and user inserts passwd to ' || '1' = '1.
This is not possible in php/MySQL as php does not support stacked queries. The moment you inject semicolon (;) it will fail.
You can do many other much more creative exploits using sql injection in a php-mysql application though.
Enumerate all databases
Table Names and Column Names
Values stored in tables
Upload a php backdoor
Check Out for SQL-Map as well.