MySQL table name alias

[ayu]

If I have a filter on a webserver level that filters input such as the word "users", that will make a statement such as "SELECT * FROM users" invalid, how would I go about to go around that?

As in, is there a way to query a table without actually using the real name?
Does MySQL accept some other form on the table name? hex or maybe some form of index?

[bad_brain]

tricky....hex is not working anymore since mysql5 afaik, but you can try:

Code: Select all

select hex('users');

put a 0x in front of the returned value and see if it accepts:

Code: Select all

show columns from 0x.....;

just tried it on 5.0.32 on Squeeze, but no luck.

maybe you could try the LIKE statement and instead of "users" try "use" or "sers"...might work if you have only one table that matches the LIKE.




edit: also have a look here for the use of aliases: http://www.w3schools.com/sql/sql_alias.asp" onclick="window.open(this.href);return false;
bad thing is the original table/column name is still used in the FROM..AS statement, so no idea if this will not also be filtered then...

[CommonStray]

As far as I know you should only be able to alias column names

Code: Select all

SELECT data1 AS data2 FROM table

Why are table names being filtered on the web server level in the first place? Client request filtering like in mod_security and escaping data in the web application are adequate if applied properly to protect against SQL Injection, if its a matter of you not wanting people to guess the table name, just name it something else.

[ayu]

Why are table names being filtered on the web server level in the first place? Client request filtering like in mod_security and escaping data in the web application are adequate if applied properly to protect against SQL Injection, if its a matter of you not wanting people to guess the table name, just name it something else.

Well, it's not my server.
It's a guy who thinks that filtering out the table name will protect him.
And I want to prove him wrong.
The first "protection" he used was to filter out the word "SELECT" in a different way, but then I just HTML encoded it to go around it.
But this time he his filtering the word "users" instead in a different way (hex doesn't work anymore).

EDIT:

b_b: I tried to use LIKE but it wont accept that.

And I also tried the following now

SELECT * FROM (SELECT table_name FROM information_schema.tables WHERE table_name = 0x706c6179657273) AS test;

But it just returns the result from the nested statement, and not the outer one ... darn it! ^^
Oh well, I will continue experimenting with this.

[bad_brain]

hm, try decimal values:

Code: Select all

mysql> SELECT CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115));
+-----------------------------------------------------------+
| CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115)) |
+-----------------------------------------------------------+
| users                                                     | 
+-----------------------------------------------------------+
1 row in set (0.00 sec)

also experiment with the ENCODE/DECODE function, I just couldn't test it because the returned string is binary and so you can't simply copy&paste it.....but:

Code: Select all

SELECT ENCODE('users', 'pass');

then storing the returned value in a table and pull it from the table in the query again (instead of the "users" in cleartext) might work:

Code: Select all

SELECT DECODE('cryptedstring', 'pass');

[ayu]

humhum, I tried the following

Code: Select all

SELECT * FROM CONCAT(CHAR(117),CHAR(115),CHAR(101),CHAR(114),CHAR(115));

But it returned an error ... : <

Will try the next method later