mailing list archives
Re: SQL Injection question
From: Michael Scovetta <michael.scovetta () ca com>
Date: 27 May 2004 02:10:59 -0000
In-Reply-To: <1085586585.5436.43.camel () Chameleon>
It's very dependent on the code that executes on the server. If, for instance, it's retrieving a list, so that
foo.asp?name=a returns all records that start with 'a', then you may be able to use
foo.asp?name=a' or name='b
to get all names that start with a or b (you can extrapolate to better examples). If, however, the code simply does:
get first row
get name field
show the name field on the page
then getting extra records won't help. Many sql injection strategies aren't focused on retrieving particular
information, rather, on using unknown information:
login.asp?username='(select username from t where uid=1) or 0=1&password=pass' or 1=1
there's no secret shortcut that will dump a query executed, even if sql injection possible. Look for pages that return
paged results, those are probably the most susceptible to this form of attack.
I am interested to know (if possible) how to extend an SQL injection attack to
display requested information from the injected query rather then the one coded into the software.
For example performing a successful injection in the following manner:
http://domain.com/script.php?showdata.php=3;select * from table where id=1
would successfuly execute injected SQL on the datrabase server and return an error to the caller since the software
was made to process a particular query... not injected one.
How and is it at all possible to actually view the data corresponding to injected SQL query, being:
select * from table where id=1?