Bypass PHP strtoupper() to perform SQL-injection on MySQL database?
I encountered a particularly weird situation where I have an SQL Injection vulnerability in the ORDER BY clause. The query is forged on backend and the injection payload is converted to upper case with the strtoupper() PHP function as can be seen bellow:
$sql="select something from table order by ".strtoupper($injection);
The problem is that I can extract from information_schema and variable names but I can't extract data from other tables because the table name in the select query is defined in lowercase.
For example:
SELECT * FROM mysql.user -- Will work.
SELECT * FROM MYSQL.USER -- Cannot find MYSQL.USER.
Apparently, INFROMATION_SCHEMA is the same thing as information_schema. But this does not apply to the other tables as well.
To extract data I used the following injection:
if(1=1,0,~0*2)
If the query returns true nothing happens, when is FALSE a generic message is revealed.
The MySQL server version is 5.7.19, the user is running as root but as I'v seen in the latest updates the server must be started with a special argument in order to use load_file or INTO OUTFILE statements.
I managed to sort of "bypass" the strtoupper() function by providing Cyrillic input characters but the MySQL does not recognize the table name because it's in Cyrillic.
Any advice on how to bypass this?
