WebApp Sec mailing list archives
SQL Injection question
From: Serg Belokamen <serg () dodo com ai>
Date: Thu, 27 May 2004 01:49:45 +1000
Hi All, I am interested to know (if possible) how to extend an SQL injection attack to display requested information from the injected query rather then the one coded into the software. For example performing a successful injection in the following manner: Normal: http://domain.com/script.php?showdata.php=3 Attack: http://domain.com/script.php?showdata.php=3;select * from table where id=1 would successfuly execute injected SQL on the datrabase server and return an error to the caller since the software was made to process a particular query... not injected one. How and is it at all possible to actually view the data corresponding to injected SQL query, being: select * from table where id=1? Best Regards, Serg
Current thread:
- httprint version 202 released httprint (May 24)
- SQL Injection question Serg Belokamen (May 26)
- Re: SQL Injection question lazy (May 26)
- Re: SQL Injection question Konstantin V. Sahin (May 27)
- SQL Injection question Serg Belokamen (May 26)