!! > Ok these looks good, but i think is not enough for blind sql injection.
!! > What about appending the comment string ( -- / # )?
may be you get some more ideas, see (incomplete) list here
http://ende.my-stp.net/sqlPattern.xml
(best viewed with http://ende.my-stp.net/EnDe.html :)
!!
!! If I append a -- or a # , then I should also guess the correct amount
!! of parenthesis. Examples:
i.g. no, as that's (in most cases) the purpose of the comment
If there're parenthesis required, you can use a fuzzing logic like:
1 or 1=1 #
1 or 1=1) #
1 or 1=1)) #
...
!! Original: select * from users where (a = $id);
!! Injected 1: select * from users where (a = 1 and 1 = 1); ---> syntax ok
!! Injected 2: select * from users where (a = 1 and 1 = 1--); --->
!! invalid syntax
yes and no 'cause it depends on the database's SQL engine
!! So..., adding a comment isn't always the best. Could you please think
!! about an example where 1 AND 1=1 wouldn't work, and 1 AND 1=1-- would?
... where id = <value> and id > 42 ...
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
