Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection question
From: "Imperva Application Defense Center" <adc () imperva com>
Date: Thu, 27 May 2004 09:28:45 +0200

On Thu, May 27, 2004 at 01:49:45AM +1000, Serg Belokamen wrote:
I am interested to know (if possible) how to extend an SQL 
injection 
attack to display requested information from the injected 
query rather 
then the one coded into the software.
Attack:
http://domain.com/script.php?showdata.php=3;select * from 
table where id=1
You can use UNION starment 
http://domain.com/script.php?showdata.php=3&apos; > UNION select * 
from table where id=1 the trick is that 2 queries have to 
give identical output (same types and number 
of columns
you can do it by using NULL or some bogus data as 
placeholders. if left query returns 1 integer and a varchar 
and you want to query for an integer use sth like this 
showdata.php=3' UNION select "XXX",cc_number from table where id=1--

google for Blindfolded_SQL_Injection.pdf if You want to know more


Blindfolded SQL Injection can be found at:
http://www.imperva.com/adc/papers/blindsql

It is also recommended, however, that you look into some basic
none-blinded SQL Injection papers, to better understand the use of UNION
SELECT (Simply google SQL Injection and choose a couple :)).

Ofer.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]