Re: SQL Injection question

[Michael Scovetta <michael.scovetta () ca com>]

In-Reply-To: <1085586585.5436.43.camel@Chameleon>

Serg,
 It's very dependent on the code that executes on the server. If, for instance, it's retrieving a list, so that 
foo.asp?name=a returns all records that start with 'a', then you may be able to use 
   foo.asp?name=a' or name='b 
to get all names that start with a or b (you can extrapolate to better examples). If, however, the code simply does:
  select statement
  get first row
  get name field
  show the name field on the page
  stop
then getting extra records won't help. Many sql injection strategies aren't focused on retrieving particular 
information, rather, on using unknown information:
  login.asp?username='(select username from t where uid=1) or 0=1&password=pass' or 1=1

there's no secret shortcut that will dump a query executed, even if sql injection possible. Look for pages that return 
paged results, those are probably the most susceptible to this form of attack.


Michael Scovetta
> Hi All, 
>
> I am interested to know (if possible) how to extend an SQL injection attack to
> display requested information from the injected query rather then the one coded into the software.
>
> For example performing a successful injection in the following manner:
>
> Normal:
> http://domain.com/script.php?showdata.php=3
>
> Attack:
> http://domain.com/script.php?showdata.php=3;select * from table where id=1
>
> would successfuly execute injected SQL on the datrabase server and return an error to the caller since the software 
> was made to process a particular query... not injected one.
>
> How and is it at all possible to actually view the data corresponding to injected SQL query, being:
>
> select * from table where id=1?
>
>   Best Regards,
>      Serg