Find Table Names for SQL Injection

Extracting table names to achieve SQL injection

Before building a query to extract sensitive information, the attacker must know what data he wants to extract and where it is stored in the database. This article explains how to show table names. To simplify learning, we suppose that some SQL injection vulnerability has been identified and the attacker knows how to exploit it using UNION-based attack. This is by far the simplest case, but the information could also be extracted using blind SQL injection techniques.

Permissions

First and foremost, you need to know that you will only be able to view tables that your database user has access to. In other words, you will only be able to list tables that your session user either owns or on which the user has been granted some permission. All other tables will seem to be inexistent.

Find Table Names in MySQL

In MySQL, the table information_schema.tables contains all the metadata related to table objects. Below is listed the most useful information of this table.

  • table_name: The name of the table.
  • table_schema: The schema in which the table was created.

Here is an example showing how to extract this information from a UNION attack.

User input.

1 AND 1=2 UNION SELECT table_schema, table_name, 1 FROM information_schema.tables

 

Query generated.

SELECT name, description, price FROM products WHERE category=1 AND 1=2 UNION SELECT table_schema, table_name, 1 FROM information_schema.table

If you want to limit the list of tables returned to the current schema, you can add a WHERE clause to filter this column in combination with DATABASE() and SCHEMA() functions.

Find Table Names in SQL Server

SQL Server also supports INFORMATION_SCHEMA and you should extract information concerning tables using information_schema.tables. Notice hoever that this data originates from sys.tables (systables for SQL Server 2000) but information_schema provides an abstraction layer and should be your first choice. The most interesting columns of this view are exactly the same that were identified for MySQL.

  • table_name: The name of the table.
  • table_schema: The schema in which the table was created.

As you can guess, the example presented for MySQL will also work in SQL Server, but here it is again.

User input.

1 AND 1=2 UNION SELECT table_schema, table_name, 1 FROM information_schema.tables

 

Query generated.

SELECT name, description, price FROM products WHERE category=1 AND 1=2 UNION SELECT table_schema, table_name, 1 FROM information_schema.table

Find Table Names in Oracle

For Oracle things are a little bit different since this DBMS does not support information_schema. Table objects are listed in the system table all_tables. Here are the most interesting columns to look for in this data dictionaryview.

  • table_name: The name of the table.
  • owner: The owner of the table.

Here again, the example presented earlier adapted to Oracle.

User input.

1 AND 1=2 UNION SELECT owner, table_name, 1 FROM all_tables

 

Query generated.

SELECT name, description, price FROM products WHERE category=1 AND 1=2 UNION SELECT owner, table_name, 1 FROM all_tables

Here is some more information about data dictionary views that may be useful.

  • all_tables : Returns all tables the current user has access to.
  • dba_tables : Returns the list of all system tables (given you have access are granted the SELECT_CATALOG_ROLE  role or if you have the SELECT ANY DICTIONARY privilege).
  • user_tables : Returns only the tables that the current user owns.

Take note however that those dictionary views are slightly different from each other.

More Information About Tables

Once table names are found, you can gather information about the columns in this table.

Posted in : Gathering Information
Tagged: