Getting DB name in SQLInjection












1















I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question


















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32


















1















I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question


















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32
















1












1








1


1






I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection







share|improve this question














I am studiying SQLInjection in some training webpages (so I don't know what is the backend). I am triying next injection to get de DB type.



(1) http://url/?departamento=1 union select user()


By this way, if the DB is MySQL, I should get some results. However, I don't see any results. If I change the injection to this new sentence, the data is returned correctly, so the DB is MySQL (Even I can see the DB name with this new injection):



(2) http://url/?departamento=1 union select 1,user()


Nevertheless, If I change again the injection to one of these the results change.



(3) http://url/?departamento=1 union select 1,2,user() (I don't see any data)

(4) http://url/?departamento=1 union select user(),2 (Here I don't see the DB name)


I don't understand why should I add (in the 2nd select statement) more columns to see the data. Why is this happening?



Thanks!






mysql sql database sql-injection




mysql sql database sql-injection






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 25 '18 at 19:15









Miguel.GMiguel.G

9810




9810








  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32
















  • 1





    If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

    – digijay
    Nov 25 '18 at 19:21











  • @D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

    – Miguel.G
    Nov 25 '18 at 19:24








  • 1





    It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

    – digijay
    Nov 25 '18 at 19:32










1




1





If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

– digijay
Nov 25 '18 at 19:21





If you use the UNION operator then the number of fields of the first query has to be identical to the number of fields of the second query. So I guess that the statement processing the departamento=1 parameter expects two fields.

– digijay
Nov 25 '18 at 19:21













@D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

– Miguel.G
Nov 25 '18 at 19:24







@D.Joe Nice Thanks! I was reading the documentation but I didn't understand it. This is really helpful since I get DBName@Username. That is why I can see the DB name too. Thanks again!! :D

– Miguel.G
Nov 25 '18 at 19:24






1




1





It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

– digijay
Nov 25 '18 at 19:32







It's just like in this cartoon: xkcd.com/327 Keep hacking! :o)

– digijay
Nov 25 '18 at 19:32














1 Answer
1






active

oldest

votes


















1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470986%2fgetting-db-name-in-sqlinjection%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47
















1














Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer
























  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47














1












1








1







Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.






share|improve this answer













Suppose the backend is Java, the code is doing something similar to that:



// 1 union select 1,user()

String query = "select a, b, c from someTable where departamento = " 

             + request.getParameter("departamento"); // the injection is here

try (Statement stmt = con.createStatement()) {

  try (Result rs = stmt.executeQuery()) {

    while (rs.next()) {

      int a = rs.getInt(1); // column "a"

      String b = rs.getString(2); // column "b"

      Date c = rs.getDate(3); // column "c"

      System.out.println("a: " + a + ", b: " + b + ", " c: " + c);

    }

  }

}


For the injection to work, you need to generate a valid SQL statement.




  • Your union must have the same number of columns than the source query

  • Your column type must match; type of columns in first subquery must be the same than in second subquery (some database may fail the query because of that).

  • Your criteria ("1") must match the right hand side of the filter (departemento)

  • Probably specific to Java (and this example), for the loop to work, you need to be able to cast your column to its target type. If column 1 is a number, then it is likely you'll never be able to display its content if your union produce a string not convertible to a number.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 25 '18 at 19:26









NoDataFoundNoDataFound

5,8311841




5,8311841













  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47



















  • Thank you! It was very useful :)

    – Miguel.G
    Nov 28 '18 at 10:47

















Thank you! It was very useful :)

– Miguel.G
Nov 28 '18 at 10:47





Thank you! It was very useful :)

– Miguel.G
Nov 28 '18 at 10:47




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53470986%2fgetting-db-name-in-sqlinjection%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Costa Masnaga

Image
.mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m...
Read more

Fotorealismo

Image
Guerrino Boatto, Venice's St. Barnaba Church and canal Il fotorealismo è un genere di pittura basato sull'uso di una o più fotografie dalle quali l'artista prende le informazioni necessarie da utilizzare poi nel processo della creazione dell'opera, in genere ad olio o ad acrilico, al fine di avere un aspetto finale il più simile possibile alla fotografia. Indice 1 Storia 2 Lista dei fotorealisti 3 Note 4 Voci correlate 5 Altri progetti Storia | Il fotorealismo è un movimento che nasce negli Stati Uniti d'America alla fine degli anni sessanta [1] sulla scia della Pop Art [2] [3] [4] , e insieme condividono il carattere reazionario verso la travolgente ascesa dei media, che alla metà del ventesimo secolo si trasforma in un fenomeno di massa talmente imponente da minacciare il valore dell'immagine nell'arte. [5] [6] Ne consegue così che, colto il gesto d'inizio che fu della Pop Art, i fotorealisti aprono ad un ...
Read more

Sidney Franklin

Image
Questa voce sull'argomento registi statunitensi è solo un abbozzo . Contribuisci a migliorarla secondo le convenzioni di Wikipedia. Sidney Franklin, foto di Carl Van Vechten Oscar alla memoria Irving G. Thalberg 1943 Sidney Franklin , all'anagrafe Sidney Arnold Franklin , (San Francisco, 21 marzo 1893 – Santa Monica, 18 maggio 1972), è stato un regista, produttore cinematografico e attore statunitense. Il 20 giugno 1963, si sposò con l'attrice australiana Enid Bennett. Il matrimonio durò fino alla morte dell'attrice, il 14 maggio 1969 [1] Indice 1 Filmografia 1.1 Regista 1.2 Aiuto regia (parziale) 1.3 Produttore 1.4 Attore (parziale) 2 Note 3 Altri progetti 4 Collegamenti esterni Filmografia | Regista | The Baby , co-regia Chester M. Franklin (1915) The Rivals , co-regia Chester M. Franklin (1915) Little Dick's First Case , co-regia Chester M. Franklin (1915) Her Filmland Hero , co-...
Read more