Alternatives to Extract Tables and Columns from MySQL and MariaDB

I’ve previously published a post on extracting table names when /or/i was filtered which leads to filtering of the word information_schema. I did some more research into this area on my own and found many other tables where you can extract the table names. These are all the databases and tables I found where we can extract table names apart from ‘information_schema.tables’. I have tested the following in 5.7.29 MySQL and 10.3.18 MariaDB. There are 39 queries in total.

Sys

These views were added in MySQL 5.7.9.

Using these queries, you can get the table file paths stored locally on disk, along with it we can extract the table names.

The following tables store the queries used before like a log. You can use regular expressions to find what you need.

Performance_Schema

As mentioned before the following contains the log of all typed SQL queries. Sometimes you might find table names. For simplicity, I have used regular expressions to match the current database name.

Like before we are fetching the local table file paths.

MySQL

Information_Schema

However, the first column value can be retrieved in this case.

In this table, you can also use the column ‘column_name’ to get the first column of all tables.

Starting from MySQL 5.6 InnoDB exists in Information_Schema.

Column Names

Most of the time people ask me if there’s any method to extract column names? You don’t need to know the column names really.

If you have the error displayed you can straightaway get the number of columns using the below first query which makes the query equals to 1 returning us the error. To determine the number of columns in a boolean blind injection scenario you can do this trick which will return 0 (since the values aren’t equal). After that use the below third query to extract data 🙂

I hope these might come handy in your next pentest 🙂

Advertisements

Leave a Reply