mailing list archives
Re: SQL Injection question
From: lazy () server gwsh gda pl
Date: Wed, 26 May 2004 20:11:06 +0200
On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:
I am interested to know (if possible) how to extend an SQL injection attack to
display requested information from the injected query rather then the one coded into the software.
http://domain.com/script.php?showdata.php=3;select * from table where id=1
You can use UNION starment
http://domain.com/script.php?showdata.php=3' UNION select * from table where id=1
the trick is that 2 queries have to give identical output (same types and number
you can do it by using NULL or some bogus data as placeholders.
if left query returns 1 integer and a varchar and you want to query for an integer
use sth like this
showdata.php=3' UNION select "XXX",cc_number from table where id=1--
google for Blindfolded_SQL_Injection.pdf if You want to know more