WebApp Sec mailing list archives
Re: SQL Injection question
From: Michael Scovetta <michael.scovetta () ca com>
Date: 27 May 2004 02:10:59 -0000
In-Reply-To: <1085586585.5436.43.camel@Chameleon> Serg, It's very dependent on the code that executes on the server. If, for instance, it's retrieving a list, so that foo.asp?name=a returns all records that start with 'a', then you may be able to use foo.asp?name=a' or name='b to get all names that start with a or b (you can extrapolate to better examples). If, however, the code simply does: select statement get first row get name field show the name field on the page stop then getting extra records won't help. Many sql injection strategies aren't focused on retrieving particular information, rather, on using unknown information: login.asp?username='(select username from t where uid=1) or 0=1&password=pass' or 1=1 there's no secret shortcut that will dump a query executed, even if sql injection possible. Look for pages that return paged results, those are probably the most susceptible to this form of attack. Michael Scovetta
Hi All, I am interested to know (if possible) how to extend an SQL injection attack to display requested information from the injected query rather then the one coded into the software. For example performing a successful injection in the following manner: Normal: http://domain.com/script.php?showdata.php=3 Attack: http://domain.com/script.php?showdata.php=3;select * from table where id=1 would successfuly execute injected SQL on the datrabase server and return an error to the caller since the software was made to process a particular query... not injected one. How and is it at all possible to actually view the data corresponding to injected SQL query, being: select * from table where id=1? Best Regards, Serg
Current thread:
- Re: SQL Injection question lipe! (May 27)
- <Possible follow-ups>
- Re: SQL Injection question Michael Scovetta (May 27)
- RE: SQL Injection question Imperva Application Defense Center (May 27)