SQL Injection SubSelects and IF Statements
Günlük Okunma : 21 | 12.12.2007
I found myself in a situation where I can't finis a SQL sentence properly because input was going to multiple different queries and it was not possible to find one injection which can end all of them properly. To able to do some blind tricks I need to use a subselect with somekind of IF statement. Target was SQL Server so following query would be the ideal start: SELECT Members WHERE user_id = 1 AND (IF (1=1) SELECT 1 ELSE SELECT 2) Don't try it, it's not going to work because SQL Server doesn't support IF statemens in subselects. But it's strange you may use CASE statements in a subsel......
I found myself in a situation where I can't finis a SQL sentence properly because input was going to multiple different queries and it was not possible to find one injection which can end all of them properly. To able to do some blind tricks I need to use a subselect with somekind of IF statement. Target was SQL Server so following query would be the ideal start: SELECT Members WHERE user_id = 1 AND (IF (1=1) SELECT 1 ELSE SELECT 2) Don't try it, it's not going to work because SQL Server doesn't support IF statemens in subselects. But it's strange you may use CASE statements in a subsel......
Arşiv
Yeni yazıları RSS ile takip edebilir ya da e-mail adresinize gelmesini sağlayabilirsiniz.
En Çok Okunan 10 Yazı | Toplam En Çok Okunan 10 Yazı | Tüm yazılar ve Makaleler