Getting DB name in SQLInjection












1















I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question


















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32


















1















I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question


















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32
















1












1








1


1






I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question














I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection




mysql sql database sql-injection






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 25 '18 at 19:15









Miguel.GMiguel.G

9810




9810








  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32
















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32










1




1





If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

– digijay
Nov 25 '18 at 19:21





If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

– digijay
Nov 25 '18 at 19:21













@D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

– Miguel.G
Nov 25 '18 at 19:24







@D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

– Miguel.G
Nov 25 '18 at 19:24






1




1





It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

– digijay
Nov 25 '18 at 19:32







It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

– digijay
Nov 25 '18 at 19:32














1 Answer
1






active

oldest

votes


















1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470986%2fgetting-db-name-in-sqlinjection%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47
















1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47














1












1








1







Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer













Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 25 '18 at 19:26









NoDataFoundNoDataFound

5,8311841




5,8311841













  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47



















  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47

















Thank you! It was very useful :)

– Miguel.G
Nov 28 '18 at 10:47





Thank you! It was very useful :)

– Miguel.G
Nov 28 '18 at 10:47




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470986%2fgetting-db-name-in-sqlinjection%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Create new schema in PostgreSQL using DBeaver

Image
0 At the beginning of my current job I had limited access to DB but recently my role is changed to superuser, admin, and owner. My colleague who was the previous DB admin is able to create a schema or change the permissions as there is a permission tab in the properties and he can change permissions by clicking easily. Would you please let me know how I can create schema and change permissions as well? Why his dbeaver looks different from me? He can easily right click on the schema folder on top of all schemas on the left side column and select create new schema while I do not have that, like the following picture I found on the internet. postgresql database-schema dbeaver share | improve this question
Read more

Deepest pit of an array with Javascript: test on Codility

Image
0 $begingroup$ This is the question from a Codility test, as a task in an interview: DeepestPit - problem description A non-empty zero-indexed array A consisting of N integers is given. A pit in this array is any triplet of integers (P, Q, R) such that: ·         0 ≤ P < Q < R < N; ·         sequence [A[P], A[P+1], ..., A[Q]] is strictly decreasing, i.e. A[P] > A[P+1] > ... > A[Q]; ·         sequence A[Q], A[Q+1], ..., A[R] is strictly increasing, i.e. A[Q] < A[Q+1] < ... < A[R]. The depth of a pit (P, Q, R) is the number min {A[P] − A[Q], A[R] − A[Q]}. For example, consider array A consisting of 10 elements such that: A[0] = 0 A[1] = 1 A[2] = 3 A[3] = -2 A[4] = 0 A[5] = 1 A[6] = 0 A[7] = -3 A[8] = 2 A[9] = 3 Triplet (2, 3, 4) is
Read more

Fotorealismo

Image
Guerrino Boatto, Venice's St. Barnaba Church and canal Il fotorealismo è un genere di pittura basato sull'uso di una o più fotografie dalle quali l'artista prende le informazioni necessarie da utilizzare poi nel processo della creazione dell'opera, in genere ad olio o ad acrilico, al fine di avere un aspetto finale il più simile possibile alla fotografia. Indice 1 Storia 2 Lista dei fotorealisti 3 Note 4 Voci correlate 5 Altri progetti Storia | Il fotorealismo è un movimento che nasce negli Stati Uniti d'America alla fine degli anni sessanta [1] sulla scia della Pop Art [2] [3] [4] , e insieme condividono il carattere reazionario verso la travolgente ascesa dei media, che alla metà del ventesimo secolo si trasforma in un fenomeno di massa talmente imponente da minacciare il valore dell'immagine nell'arte. [5] [6] Ne consegue così che, colto il gesto d'inizio che fu della Pop Art, i fotorealisti aprono ad un
Read more