![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
RE: SQL Injection question
From: "Imperva Application Defense Center" <adc () imperva com>
Date: Thu, 27 May 2004 09:28:45 +0200
On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:I am interested to know (if possible) how to extend an SQLinjectionattack to display requested information from the injectedquery ratherthen the one coded into the software. Attack: http://domain.com/script.php?showdata.php=3;select * fromtable where id=1 You can use UNION starment http://domain.com/script.php?showdata.php=3' > UNION select * from table where id=1 the trick is that 2 queries have to give identical output (same types and number of columns you can do it by using NULL or some bogus data as placeholders. if left query returns 1 integer and a varchar and you want to query for an integer use sth like this showdata.php=3' UNION select "XXX",cc_number from table where id=1-- google for Blindfolded_SQL_Injection.pdf if You want to know more
Blindfolded SQL Injection can be found at: http://www.imperva.com/adc/papers/blindsql It is also recommended, however, that you look into some basic none-blinded SQL Injection papers, to better understand the use of UNION SELECT (Simply google SQL Injection and choose a couple :)). Ofer.
Current thread:
- Re: SQL Injection question lipe! (May 27)
- <Possible follow-ups>
- Re: SQL Injection question Michael Scovetta (May 27)
- RE: SQL Injection question Imperva Application Defense Center (May 27)