MariaDb SQL Injection

Question

I am trying to exploit (legally) a MariaDb database with an SQLi vulnerability.

I have identified the vulnerability here...

/?o=1&page=app

Answer 1

Some observations:

The mysql.user table does not include columns uid or dest

To exploit a SQL Injection vulnerability, we have to work within the context of the SQL statement that is being dynamically constructed.

If the application SQL statement is of the form:

 SELECT somecol FROM sometable WHERE keycol = 'x' ORDER BY foo LIMIT 1

And it's the value of x is being incorporated into the SQL text; we can attempt to supply values of 'x' that will form a valid SQL statement. But we don't "break out" of the preceding statement.

If we are attempting to include another FROM clause, to pull data from another table, we might think in terms of formulating a statement like this:

 SELECT somecol FROM sometable WHERE keycol = 'foo' AND 1=0 
 UNION ALL 
 SELECT expr FROM anothertable ORDER BY expr LIMIT 1 -- '

---

There might be a multi-statement vulnerability, where we could execute multiple statements.

But we don't need to spend a lot of time figuring out how to exploit it; time and effort would is better spent fixing the application to close the vulnerability.