skip to Main Content

I’m learning blind SQLi from website "portswigger" and play labs there.Unfortunately, i don’t understand, how SELECT "a" FROM users LIMIT 1 can return column "a", if there isn’t any column, named "a"(may be i don understand something). And why is there "LIMIT 1"(I know what it do, but not in this case)? Full code: TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a (TrackingId=xyz’ is true). In description of the lab it does not say what database is used, but it not Oracle, because there’s using "SUBSTRING" in the solving.

I don’t know, how to google it, so i come here.

2

Answers


  1. That doesn’t look correct. With an SQL standard compliant database, the proper way to figure out if there is a table named users is

    SELECT count(*) FROM information_schema.tables
    WHERE table_name = 'users'
    

    Note that table names are case sensitive. Depending on the database management system, you might want to query for users as well.

    If you want to figure out if there is a table users with a column a, use

    SELECT count(*) FROM information_schema.columns
    WHERE table_name = 'users'
      AND column_name = 'a'
    
    Login or Signup to reply.
  2. The whole query probably includes another table (maybe a CTE), which does have a column "a". If Users also has a column "a", then it resolves to Users.a, otherwise it resolves to othertable.a. These could lead to predictably different results and so leak information.

    Without the LIMIT 1, PostgreSQL could give you the error ERROR: more than one row returned by a subquery used as an expression. Presumably the app server would do something to that error (other than pass it back unchanged to the criminal) which is less informative than the non-erroring case would be.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search