Penetration Testing mailing list archives
Re: ORDER BY sql injection help
From: Trace <bugtrace () gmail com>
Date: Sat, 13 Jun 2009 14:19:25 +0800
http://code.google.com/p/bsqlbf-v2/downloads/list the new version also supports blind sql injection in “order by”, “group by” clause. Try it,please. On Fri, Jun 12, 2009 at 4:45 AM, <lister () lihim org> wrote:
Requesting assistance. An application uses GET and one of the parameters translates to an ORDER BY in an Oracle SQL query. I can put in 1 through X where X is a column number to order the output up to X columns. I can also get ORA errors, so I know I have direct access to the SQL query. I'm looking for references on possible queries for a query with an injectable ORDER BY clause. I'm not sure if it is possible to break out of the ORDER BY to query other data. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ORDER BY sql injection help lister (Jun 12)
- Re: ORDER BY sql injection help Trace (Jun 15)
- RE: ORDER BY sql injection help SuRGeoN (Jun 15)
- Re: ORDER BY sql injection help arvind doraiswamy (Jun 15)
- Re: ORDER BY sql injection help Robin Wood (Jun 15)