| Main Archive Page > Month Archives > websecurity archives |
Re: [WEB SECURITY] SQL injection question
From: Zapotek <zapotek_at_nospam>Date: Fri Nov 30 2007 - 23:49:40 GMT
To: websecurity@webappsec.org
You probably need the rest of the GET variables and the "--" cuts the
SQL query at the point where
pDATOS_X is used.
Cheers,
Zapotek.
Luis Matus wrote:
> Hello, I am testing a web application , and i have found a vulnerable string
>
> solicitud.jsp?pDATOS_X=6&pPaisId=4&pConsulta=si
>
> in this case, if I modified pDATOS_X=? to another number, I can see
> someone else data.
>
> how could I modified this string, to visualize all records.
>
> since I am testing the web application and have access to the
> database, I know that the name of the field is DATOS_X. So I tried,
> solicitud.jsp?pDATOS_X=0 or DATOS_X is not null --
> &pPaisId=4&pConsulta=si
>
> But I only get the first row of the table.
>
>
> Any sugestions.
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
--
Owner and administrator of Segfault.gr
Global Moderator of GreekHackers.gr
Main developer of the WebSpidah [http://webspidah.segfault.gr]
web application security scanner.
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]