Penetration Testing mailing list archives
ORDER BY sql injection help
From: lister () lihim org
Date: Thu, 11 Jun 2009 15:45:49 -0500
Requesting assistance. An application uses GET and one of the parameters translates to an ORDER BY in an Oracle SQL query. I can put in 1 through X where X is a column number to order the output up to X columns. I can also get ORA errors, so I know I have direct access to the SQL query. I'm looking for references on possible queries for a query with an injectable ORDER BY clause. I'm not sure if it is possible to break out of the ORDER BY to query other data. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ORDER BY sql injection help lister (Jun 12)
- Re: ORDER BY sql injection help Trace (Jun 15)
- RE: ORDER BY sql injection help SuRGeoN (Jun 15)
- Re: ORDER BY sql injection help arvind doraiswamy (Jun 15)
- Re: ORDER BY sql injection help Robin Wood (Jun 15)