Full Disclosure mailing list archives
Informix SQL injection
From: "Joshua Tagnore" <joshua.tagnore () gmail com>
Date: Mon, 5 Feb 2007 14:40:51 -0300
List, I'm doing a pentest on a website that uses informix web datablade and found a sql injection point. I have been able to use the webexplode() stored procedure to execute any SQL commands, and also operating system commands using SYSTEM. The problem I have is that SYSTEM doesnt return the execution result(its a procedure, not a function), so I have to save them to a file; for example : SYSTEM 'ls /etc/ > /tmp/result' and then read that file... the problem is... how do i read that file ? I have tried with "load from ..." and it fails with a sintax error, and on the other side, when I use FILETOCLOB('/tmp/result','server') i dont know how to get the contents of the CLOB... anyone knows something informix ? Cheers, -- Joshua Tagnore
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Informix SQL injection Joshua Tagnore (Feb 05)
- Re: Informix SQL injection Tyop? (Feb 05)
- <Possible follow-ups>
- Re: Informix SQL injection Zed Qyves (Feb 06)