w01f Posted June 21, 2020 Share Posted June 21, 2020 I'll use DVWA in this example as the code is available for everyone. Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment. You can get it here and set it up on your personal lab http://www.dvwa.co.uk/ Now I know that it's not possible to use tick/quote in SQL Injection Medium Level due to "mysql_real_escape_string()" PHP function. mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. https://www.php.net/manual/en/function.mysql-real-escape-string.php That's fine. I solved the Medium solution without using quote. It's easy because the number of data in DVWA is limited. But what happens when there's bigger data? Let me give an example. I was able to enumerate ALL columns name from current database. The problem is I wanted to get only column from table "users". As you can see, the following command actually list out all columns from ALL tables including "users" and also "guestbook" 1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE()-- - This is how it looks like when I selecting "table_schema,table_name,column_name" in MySQL. mysql> SELECT table_schema,table_name,column_name FROM information_schema.columns WHERE table_schema=DATABASE(); +--------------+------------+-------------+ | table_schema | table_name | column_name | +--------------+------------+-------------+ | dvwa | guestbook | comment_id | | dvwa | guestbook | comment | | dvwa | guestbook | name | | dvwa | users | user_id | | dvwa | users | first_name | | dvwa | users | last_name | | dvwa | users | user | | dvwa | users | password | | dvwa | users | avatar | +--------------+------------+-------------+ 9 rows in set (0.00 sec) The only solution that I can think of at the moment is by limiting the output only for "users" table by using MySQL WHERE and AND clause. However, tick is not allowed by "mysql_real_escape_string" function and this code will cause an error. 1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='users'-- - Error (which expected because of quote) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'users\'-- -' at line 1 Is there a way to get around this? How do I use tick when it's not possible? Quote Link to comment Share on other sites More sharing options...
w01f Posted June 21, 2020 Author Share Posted June 21, 2020 How do I modify the original post? I can't find "Edit" button in this page. Thanks Quote Link to comment Share on other sites More sharing options...
digininja Posted June 21, 2020 Share Posted June 21, 2020 Look at the CHAR function, you might need USING with it. You also may need CONCAT. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.