I can try some SQL-injection against a ad-hoc damn web application in my virtual enviroment for educational purpose. In one of these I obtain the table column_privileges (of Mysql Information schema) empty, I retrive the table but the fiels are empty. Is it possible that this table is empty or I have not the privileges to see it? Is there some test to obtain the confirm that I have not the privilege to see this table? In the case it is really empty, does this imply some important consideration?
Asked
Active
Viewed 390 times
1
-
What user are you executing your sql-injection attack as? Typicially, only root will have access to this table... – DrDamnit Aug 08 '17 at 21:40
-
I'm not root, but I can see other tables of information schema. – Bob Aug 08 '17 at 21:44
-
1Bingo. No root, no permissions access. – DrDamnit Aug 08 '17 at 21:46
-
I can see the table, it do not return access error but the fields are empty. – Bob Aug 08 '17 at 21:49
-
Of course you see the table. You need to have access to the permissions for the user you're working with. But you're trying to get more than that. Can't without privilege escalation. – DrDamnit Aug 08 '17 at 21:52
-
My uncertain is that for some other table I obtain a specific access denied error, but for column_privileges no, simply I see the fields empty. – Bob Aug 08 '17 at 22:04
1 Answers
0
It is no possible see information about database objects for which you don't have permissions. An empty information_schema table suggests a permissions issue for the user you are using to connect to the server.
Bob
- 129
- 2
- 7