I'm trying to do an SQL Injection attack, (This is for an assignment, so I'm not doing anything illegal) and I need to see what the current database name is. However, I'm limited to 15 characters for the input, which is 13 when you factor in escaping the string and commenting out the remainder. SELECT DATABASE() is too long because of this, so is there a way to return the database name in 13 characters or less?
-
can you increase the 15 char limit?Roland Starke– Roland Starke2017-08-31 18:13:38 +00:00Commented Aug 31, 2017 at 18:13
-
How would I do that? Isn't the character limit evaluated server side?user3246167– user32461672017-08-31 18:15:59 +00:00Commented Aug 31, 2017 at 18:15
-
you could try to send an input longer then 15 chars and test if it works. for more help i would need more informationRoland Starke– Roland Starke2017-08-31 18:26:16 +00:00Commented Aug 31, 2017 at 18:26
Add a comment
|
3 Answers
You can use SCHEMA() as it's a synonym for DATABASE(). See https://dev.mysql.com/doc/refman/5.7/en/information-functions.html#function_schema
1 Comment
user3246167
That's still above the character limit
Use STATUS. It gives you several status variables including the name of the database you are connected to.
2 Comments
Bill Karwin
SHOW STATUS does not include that information. You might be thinking of the mysql client builtin command status which includes the current database. But client builtin commands are not executed by the server, so they're not vulnerable to SQL injection.Bill Karwin
No... the OP will not be able to run
status using SQL injection. It's a client builtin command. One cannot execute client commands using SQL.The command SHOW TABLES is only 11 characters, and the heading of the result set reveals the current database.
Here's an example:
mysql> use test;
mysql> show tables;
+----------------+
| Tables_in_test |
+----------------+
| ... |
+----------------+
Comments
