I’m learning blind SQLi from website "portswigger" and play labs there.Unfortunately, i don’t understand, how SELECT "a" FROM users LIMIT 1 can return column "a", if there isn’t any column, named "a"(may be i don understand something). And why is there "LIMIT 1"(I know what it do, but not in this case)? Full code: TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a (TrackingId=xyz’ is true). In description of the lab it does not say what database is used, but it not Oracle, because there’s using "SUBSTRING" in the solving.
I don’t know, how to google it, so i come here.
2
Answers
That doesn’t look correct. With an SQL standard compliant database, the proper way to figure out if there is a table named
usersisNote that table names are case sensitive. Depending on the database management system, you might want to query for
usersas well.If you want to figure out if there is a table
userswith a columna, useThe whole query probably includes another table (maybe a CTE), which does have a column "a". If Users also has a column "a", then it resolves to Users.a, otherwise it resolves to othertable.a. These could lead to predictably different results and so leak information.
Without the LIMIT 1, PostgreSQL could give you the error
ERROR: more than one row returned by a subquery used as an expression. Presumably the app server would do something to that error (other than pass it back unchanged to the criminal) which is less informative than the non-erroring case would be.