SQL select from other database with sql injection
I was attacked by SQL injection and they got my database "root" user name and password.
But they also shows me some data from other database, which name this site definitely has no in its code.
Is it possible with SQL injection to select from other database (by user with full access)? Or the only way for this is to use url that has access to this database.
If this is possible, what sql it has? So I can find it in my logs开发者_开发知识库.
SHOW DATABASES;
This will give you a list of databases that you have access to. root has access to all of them (in most installations).
to see the tables:
SHOW TABLES IN `myDB`;
to see those tables structures you can do multiple things
SHOW CREATE TABLE `myDB`.`myTable`; /* This shows a executable query that can be used to recreate the table structure */
or
SHOW COLUMNS FROM `myTable` IN `myDB`; /* This shows a list of columns */
If they have your database root password, they can do anything. SQL can most definitely select from other databases inside the same server, using the same mechanism as you do for referring to multiple tables:
select database1.table.field, database2.othertable.otherfield, etc...
Using 'root' to do your front-end facing stuff is NEVER a good idea. Especially if you're writing vulnerable code. Always created a dedicated user with JUST the privileges you need. A simple blog engine, for instance, does not need to the rights to alter a table, drop a database, or change privileges.
Your logs would only show GET query parameters. If all the hacking with POST calls, the logs will not contain the actual data sent, so most likely you're SOL on that front. If you've got mysql binary logging enabled, there'll be a lot of every query executed.
Certainly a MySQL query can reference any database that lives in the same instance of MySQL.
SELECT * FROM `databasename`.`tablename` ...
And it's also easy to get the list of database names if the attacker can use SQL injection to execute arbitrary queries as root:
SHOW DATABASES;
Or:
SELECT DISTINCT table_schema FROM INFORMATION_SCHEMA.TABLES;
I encourage you to perform a thorough code review of all your code and be safer about writing dynamic SQL queries. You can use proper type coercion, string-escaping functions, and query parameters for most cases, but there are still more cases where you need to build dynamic SQL strings and those solutions don't help.
Review my presentation, SQL Injection Myths and Fallacies, or the chapter on SQL injection in my book SQL Antipatterns Volume 1: Avoiding the Pitfalls of Database Programming for ideas.
精彩评论