Satal Keto Posted December 15, 2008 Share Posted December 15, 2008 I have set up a simple php script on my server which takes a GET parameter run's it through addslashes() and then uses it as a criteria so... $qry = "SELECT * FROM tblTest WHERE TestID = " . addslashes($_GET['id']); Now I know full well that this code if vulnerable, its designed to have some level of protection just to allow me to practice my SQL Injection. Now the problem I am having is that I am able to get a list of all the tables by doing the following http://homeserver/test.php?id=-1 union all select 1,table_name from information_schema.tables limit 0,1 which will get the first entry, then... http://homeserver/test.php?id=-1 union all select 1,table_name from information_schema.tables limit 1,1 to get the second entry and so on. The problem comes when I am trying to get a list of the columns in one of the tables (obviously I know what they are (id, testfield) but that's defeating the purpose). The SQL Injection that I would normally use to get the list of columns would be... http://homeserver/test.php?id=-1 union all select 1,column_name from information_schema.columns where table = 'tblTest' limit 0,1 obviously I would be incrementing the limit offset to find the other columns. Now I already mentioned I am running the get parameter through addslashes, which won't have any problem with me doing the first set of SQL Injections as there aren't any quotes or characters which get escaped, but to get the columns I need to specify the table (well it would be possible for me to use concat() to put the table name and column name together in the output, thereby not requiring to specify the table, but I would like to avoid that if possible as that would take many attempts to even find the right table) unfortunately MySQL doesn't give tables id's which would make it easier. Anyway hopefully someone will know of a decent way around this problem :) Thanks for any help in advance Satal :D Quote Link to comment Share on other sites More sharing options...
Satal Keto Posted December 18, 2008 Author Share Posted December 18, 2008 I just thought that I would post one possible answer to this MySQL has a function, CHAR() which converts a number into its ASCII version, for example CHAR(116,98,108,84,101,115,116)) Would return 'tblTest' (without the quotes). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.