I was attacked by SQL injection and they got my database "root" user name and password.
But they also shows me some data from other database, which name this site definitely has no in its code.
Is it possible with SQL injection to select from other database (by user with full access)?
Or the only way for this is to use url that has access to this database.
If this is possible, what sql it has? So I can find it in my logs.
Fabrizio :
SHOW DATABASES;\n\n\nThis will give you a list of databases that you have access to. root has access to all of them (in most installations).\n\nto see the tables:\n\nSHOW TABLES IN `myDB`;\n\n\nto see those tables structures you can do multiple things\n\nSHOW CREATE TABLE `myDB`.`myTable`; /* This shows a executable query that can be used to recreate the table structure */\n\nor\n\nSHOW COLUMNS FROM `myTable` IN `myDB`; /* This shows a list of columns */\n",
2011-06-28T21:40:39
Marc B :
If they have your database root password, they can do anything. SQL can most definitely select from other databases inside the same server, using the same mechanism as you do for referring to multiple tables:\n\nselect database1.table.field, database2.othertable.otherfield, etc...\n\n\nUsing 'root' to do your front-end facing stuff is NEVER a good idea. Especially if you're writing vulnerable code. Always created a dedicated user with JUST the privileges you need. A simple blog engine, for instance, does not need to the rights to alter a table, drop a database, or change privileges.\n\nYour logs would only show GET query parameters. If all the hacking with POST calls, the logs will not contain the actual data sent, so most likely you're SOL on that front. If you've got mysql binary logging enabled, there'll be a lot of every query executed.",
2011-06-28T21:31:59