SQL Injection Type 2 :- Schema field mapping

Schema field mapping

The first steps are to guess some field names: we’re reasonably sure that the query includes “email address” and “password”, and there may be things like “US Mail address” or “userid” or “phone number”. We’d dearly love to perform a SHOW TABLE, but in addition to not knowing the name of the table, there is no obvious vehicle to get the output of this command routed to us.

So we’ll do it in steps. In each case, we’ll show the whole query as we know it, with our own snippets shown specially. We know that the tail end of the query is a comparison with the email address, so let’s guess email as the name of the field:

SELECT fieldlist
  FROM table
 WHERE field = 'x' AND email IS NULL; --';

The intent is to use a proposed field name (email) in the constructed query and find out if the SQL is valid or not. We don’t care about matching the email address (which is why we use a dummy ‘x’), and the marks the start of an SQL comment. This is an effective way to “consume” the final quote provided by application and not worry about matching them.

If we get a server error, it means our SQL is malformed and a syntax error was thrown: it’s most likely due to a bad field name. If we get any kind of valid response, we guessed the name correctly. This is the case whether we get the “email unknown” or “password was sent” response.

Note, however, that we use the AND conjunction instead of OR: this is intentional. In the SQL schema mapping phase, we’re not really concerned with guessing any particular email addresses, and we do not want random users inundated with “here is your password” emails from the application – this will surely raise suspicions to no good purpose. By using the AND conjunction with an email address that couldn’t ever be valid, we’re sure that the query will always return zero rows and never generate a password-reminder email.

Submitting the above snippet indeed gave us the “email address unknown” response, so now we know that the email address is stored in a field email. If this hadn’t worked, we’d have tried email_address or mail or the like. This process will involve quite a lot of guessing.

Next we’ll guess some other obvious names: password, user ID, name, and the like. These are all done one at a time, and anything other than “server failure” means we guessed the name correctly.

SELECT fieldlist
  FROM table
 WHERE email = 'x' AND userid IS NULL; --';

As a result of this process, we found several valid field names:

  • email
  • passwd
  • login_id
  • full_name

There are certainly more (and a good source of clues is the names of the fields on forms), but a bit of digging did not discover any. But we still don’t know the name of the table that these fields are found in – how to find out?

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.
%d bloggers like this: