1

The following line of vulnerable code makes the user input always upper case:

mysql_query("select * from " . strtoupper($_GET['table']));

In a scenario where MySQL's "lower_case_table_names" is set to 0 (case sensitive schema and table comparisons), I'm unable to read data from lowecase tables. Is there any way to bypass this?

Improve this question
5
  • You can extract the actual name from the Schema information, (show tables) and use that in a union select. Commented Sep 16, 2017 at 18:08
  • @SmokeDispenser I've tried a lot of similar stuff without luck. How would I concatenate the name from information_schema to FROM? Can you please provide a working example? Commented Sep 16, 2017 at 18:11
  • Not off the top of my head, but along these lines: dev.mysql.com/doc/refman/5.7/en/derived-tables.html Commented Sep 16, 2017 at 18:27
  • 1
    @SmokeDispenser I know where you are coming from, but I don't think it'll work. Whether we use union or sub-selects, at some point it's necessary to specify table name and since we cannot use any variables without a prepared statement, I don't see a way to bypass the upper case. I was thinking about collations (dev.mysql.com/doc/refman/5.7/en/charset-collate.html) or some modifiers that can force a case insensitive select Commented Sep 16, 2017 at 20:32
  • Duplicate of security.stackexchange.com/questions/169858/… Commented Sep 21, 2017 at 18:28

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.