RE: SQL Injection question

["Imperva Application Defense Center" <adc () imperva com>]

> On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:
> > I am interested to know (if possible) how to extend an SQL 
> injection 
> > attack to display requested information from the injected 
> query rather 
> > then the one coded into the software.
> > Attack:
> > http://domain.com/script.php?showdata.php=3;select * from 
> table where id=1
> You can use UNION starment 
> http://domain.com/script.php?showdata.php=3' > UNION select * 
> from table where id=1 the trick is that 2 queries have to 
> give identical output (same types and number 
> of columns
> you can do it by using NULL or some bogus data as 
> placeholders. if left query returns 1 integer and a varchar 
> and you want to query for an integer use sth like this 
> showdata.php=3' UNION select "XXX",cc_number from table where id=1--
>
> google for Blindfolded_SQL_Injection.pdf if You want to know more

Blindfolded SQL Injection can be found at:
http://www.imperva.com/adc/papers/blindsql

It is also recommended, however, that you look into some basic
none-blinded SQL Injection papers, to better understand the use of UNION
SELECT (Simply google SQL Injection and choose a couple :)).

Ofer.