Injection Without Knowing the Column Names

Just discover a SQL injection point, but fail to know the column names? Stumble against the Access database or MySQL 4.0 database? Do not worry, here I am gonna share a method to dump the database even without knowing column names.

The basic idea of this method is to use subquery,*, and alias to inject. We use * to dump all entries in certain table, and then use alias to overwrite their original column names. See the example below.

Example

Here are two tables (articles and users). Let’s assume we do not know about column names of table users.

Let us assume the injection is at the end of the query statement for table articles. With order by, we can know the number of columns of table articles.

Alright, table articles has 5 columns. What about the table users? We can use subquery here.

Now, here is the trick. 

As you can see, we name the column names in this result table. Similarly, we can make SQL injection with this trick. More specific, We can use alias and define the column names of the result table. With this trick, we can query the content of table users and finally get a result table with the column names we define, just like it is shown below.

Finally, with union query, we can conduct our final payload. 

select * from articles where id=-1 union select 1,2,3,4,5 from (select 1 as col1,2 as col2,3 from users where 1=2 union select * from users)x;
mysql> select * from articles where id=-1 union select 1,col2,col3,4,5 from (select 1 as col1,2 as col2,3 as col3 from users where 1=2 union select * from users)x;

Leave a Reply

Your email address will not be published. Required fields are marked *