SQL Injection Questions

Discuss the many weaknesses of browser security and ways to mitigate the threat

SQL Injection Questions

Post by Tentra on Tue Jun 23, 2009 3:08 pm
([msg=25826]see SQL Injection Questions[/msg])

I have a basic knowledge of SQL injection, and I have been messing around with "MySQLi Dumper v.1.2" and I can use it efficiently. Although I don't understand the injections it uses, most importantly I don't know how it finds the names of the tables and columns. If I knew how to do this by hand I would no longer be bound to a skiddie tool.

I know that "INFORMATION_SCHEMA.TABLES.TABLE_NAME" contains the names of the tables. But I don't know how to connect to a different database or get the server to echo the data to the page.

Don't tell me to Google it. I have and found 3 things:
http://ha.ckers.org/sqlinjection/
http://unixwiz.net/techtips/sql-injection.html
http://sqlzoo.net/hack/24table.htm

I can't find anything that talks about what I need.

If anyone could point me to any examples or articles, that would be amazing.

-- Fri Jun 26, 2009 1:58 pm --

Never mind, I have found my answer.
User avatar
Tentra
Poster
Poster
 
Posts: 157
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)


Re: SQL Injection Questions

Post by thedotmaster on Mon Jul 20, 2009 7:46 am
([msg=27019]see Re: SQL Injection Questions[/msg])

Here is your answer:
http://www.w3schools.com/SQl/default.asp
and:
http://dev.mysql.com/doc/refman/5.0/en/tutorial.html

Sure you may be able to enter certain strings that you found out about.. but it's far better if you can work out those strings yourself - rather than relying on someone else to do it for you.
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests