Penetration Testing mailing list archives
SQL Injection - retrieving all rows
From: mel <meling () scan-associates net>
Date: Wed, 20 Mar 2002 19:24:59 +0800
Hi, I've been able to enumerate over 50 plus tables in a recent pen-test, now come the hard part - I want to dump data from the most important table that contains user names and passwords. However, the ASP app that I exploit only returns one row at a time. Is there anyway to overcome this? I've been looking for apps that return multiple rows (such as search,etc) but to know avail. I've tried dumping asp codes using BULK INSERT, but the command is only available for system account. Creating an stored procedure does not seem to work as well :( Now, I'm thinking of writing a script that dump the data one at a time, but I would like the advice from fellow pen-testers first. Cheers, --mel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection - retrieving all rows mel (Mar 20)
- RE: SQL Injection - retrieving all rows Zacharias Pigadas (Mar 21)
- <Possible follow-ups>
- Re: SQL Injection - retrieving all rows Kevin Spett (Mar 21)
- Re: SQL Injection - retrieving all rows Kirk Schafer (Mar 21)
- RE: SQL Injection - retrieving all rows Athanasios Vamvakas (Mar 21)