We have an exercise and are struggling to come up with a sql injection to find more data from the database in mySQL.
Here is how far we have got: mySQL webpage result
In the above picture you can see we have managed to get the database to divulge the userid, user and passwd values.
To achieve this we have typed:
admin' --
in the login box
Then:
' union select table_name from information_schema.tables --
in the password box
However, this is not the entire goal of the exercise. We must discover the databases and tables that are available.
We are unsure why the response is not taking into account our query union select table_name from information_schema.tables.
Here is an example of what the response is if nothing is typed in either login or password box: default mySQL webpage
Our tasks:
- enumerate available tables in the database
- find username with userid of 3 (done - right?)
- find a table containing md5 hashes
Could someone point us in the right direction?
Why isnt our select table_name from information_schema.tables working?
UPDATE: we managed to get 238 rows returned after restructuring our initial query in the first login box to:
admin’ union select table_name,2,3 from information_schema.tables -- -
The fix: the amount of columns have to match between first select query and union select query.
CodePudding user response:
You'll probably have to put the entire injection in the username box. At the moment the -- after the admin' in the login input is commenting the rest of the query.
i.e. The login box should contain admin' UNION SELECT table_name FROM information_schema.tables --
You may need to select padding columns from information_schema.tables as there is no way to tell how many columns the users table has.