WebApp Sec mailing list archives

Re: SQL Injection data retrieving??

From: Roland Despins <roland2004 () romandie com>
Date: 11 Sep 2004 22:06:12 -0000

In-Reply-To: <47650053.20040910143111 () netdork net>

Thanks Jonathan for your help and clear explanations...

I've been able to extract all the columns and table name from my database but I couldn't get back the data.

I've tried: "select * from __dellist" etc.. but dind't work:

Error Type:
(0x80020009)
Exception occurred. 


I guess is because the script isn't designed to handle the output? I've try to generate an error using the 
convert(int,string) but it didn't work!

Are there really no other way to retreive datas once we have "blind discover" the structure of the database?

One other question: do you know a script that would automate the process of getting the tables and columns name? I know 
there is a commercial one called "SQL Injector" 
(http://www.spidynamics.com/products/Comp_Audit/toolkit/SQLinjector.html) but is there a open source one?

Thanks a lot in advance for your help

Current thread:

SQL Injection data retrieving?? Roland Despins (Sep 10)
- Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 11)
  - Re: SQL Injection data retrieving?? saphyr (Sep 12)
- Re: SQL Injection data retrieving?? nummish (Sep 11)
- Re: SQL Injection data retrieving?? Ben Timby (Sep 11)
- Re: SQL Injection data retrieving?? Adam Tuliper (Sep 11)
  - Re: SQL Injection data retrieving?? Adam Tuliper (Sep 12)
- Re: SQL Injection data retrieving?? saphyr (Sep 12)
- <Possible follow-ups>
- Re: SQL Injection data retrieving?? Roland Despins (Sep 12)
  - Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 13)
- RE: SQL Injection data retrieving?? Mark McDonald (Sep 13)
- Re: SQL Injection data retrieving?? Roland Despins (Sep 13)
  - Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 15)
    - RE: SQL Injection data retrieving?? Peter Harrison (Sep 16)
- RE: SQL Injection data retrieving?? Shields, Larry (Sep 18)