If I have a filter on a webserver level that filters input such as the word "users", that will make a statement such as "SELECT * FROM users" invalid, how would I go about to go around that?
As in, is there a way to query a table without actually using the real name?
Does MySQL accept some other form on the table name? hex or maybe some form of index?
MySQL table name alias
MySQL table name alias
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: MySQL table name alias
tricky....hex is not working anymore since mysql5 afaik, but you can try:
put a 0x in front of the returned value and see if it accepts:
just tried it on 5.0.32 on Squeeze, but no luck.
maybe you could try the LIKE statement and instead of "users" try "use" or "sers"...might work if you have only one table that matches the LIKE.
edit: also have a look here for the use of aliases: http://www.w3schools.com/sql/sql_alias.asp" onclick="window.open(this.href);return false;
bad thing is the original table/column name is still used in the FROM..AS statement, so no idea if this will not also be filtered then...
Code: Select all
select hex('users');
Code: Select all
show columns from 0x.....;
maybe you could try the LIKE statement and instead of "users" try "use" or "sers"...might work if you have only one table that matches the LIKE.
edit: also have a look here for the use of aliases: http://www.w3schools.com/sql/sql_alias.asp" onclick="window.open(this.href);return false;
bad thing is the original table/column name is still used in the FROM..AS statement, so no idea if this will not also be filtered then...
- CommonStray
- Forum Assassin
- Posts: 1215
- Joined: 20 Aug 2005, 16:00
- 18
Re: MySQL table name alias
As far as I know you should only be able to alias column names
Why are table names being filtered on the web server level in the first place? Client request filtering like in mod_security and escaping data in the web application are adequate if applied properly to protect against SQL Injection, if its a matter of you not wanting people to guess the table name, just name it something else.
Code: Select all
SELECT data1 AS data2 FROM table
Re: MySQL table name alias
CommonStray wrote: Why are table names being filtered on the web server level in the first place? Client request filtering like in mod_security and escaping data in the web application are adequate if applied properly to protect against SQL Injection, if its a matter of you not wanting people to guess the table name, just name it something else.
Well, it's not my server.
It's a guy who thinks that filtering out the table name will protect him.
And I want to prove him wrong.
The first "protection" he used was to filter out the word "SELECT" in a different way, but then I just HTML encoded it to go around it.
But this time he his filtering the word "users" instead in a different way (hex doesn't work anymore).
EDIT:
b_b: I tried to use LIKE but it wont accept that.
And I also tried the following now
But it just returns the result from the nested statement, and not the outer one ... darn it! ^^SELECT * FROM (SELECT table_name FROM information_schema.tables WHERE table_name = 0x706c6179657273) AS test;
Oh well, I will continue experimenting with this.
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Re: MySQL table name alias
hm, try decimal values:
also experiment with the ENCODE/DECODE function, I just couldn't test it because the returned string is binary and so you can't simply copy&paste it.....but:
then storing the returned value in a table and pull it from the table in the query again (instead of the "users" in cleartext) might work:
Code: Select all
mysql> SELECT CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115));
+-----------------------------------------------------------+
| CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115)) |
+-----------------------------------------------------------+
| users |
+-----------------------------------------------------------+
1 row in set (0.00 sec)
Code: Select all
SELECT ENCODE('users', 'pass');
Code: Select all
SELECT DECODE('cryptedstring', 'pass');
Re: MySQL table name alias
humhum, I tried the following
But it returned an error ... : <
Will try the next method later
Code: Select all
SELECT * FROM CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115));
Will try the next method later
"The best place to hide a tree, is in a forest"