Achim, On Mon, Nov 17, 2008 at 6:06 AM, Achim Hoffmann <[EMAIL PROTECTED]> wrote: > !! > Ok these looks good, but i think is not enough for blind sql injection. > !! > What about appending the comment string ( -- / # )? > > may be you get some more ideas, see (incomplete) list here > http://ende.my-stp.net/sqlPattern.xml > (best viewed with http://ende.my-stp.net/EnDe.html :) > > !! > !! If I append a -- or a # , then I should also guess the correct amount > !! of parenthesis. Examples: > > i.g. no, as that's (in most cases) the purpose of the comment > If there're parenthesis required, you can use a fuzzing logic like: > > 1 or 1=1 # > 1 or 1=1) # > 1 or 1=1)) # > ...
fuzzing, guessing... almost the same =) > !! Original: select * from users where (a = $id); > !! Injected 1: select * from users where (a = 1 and 1 = 1); ---> syntax ok > !! Injected 2: select * from users where (a = 1 and 1 = 1--); ---> > !! invalid syntax > > yes and no 'cause it depends on the database's SQL engine are you sure that something like: select * from users where (a = 1 and 1 = 1; is valid in *any* dbms? > !! So..., adding a comment isn't always the best. Could you please think > !! about an example where 1 AND 1=1 wouldn't work, and 1 AND 1=1-- would? > > ... where id = <value> and id > 42 ... > > Injecting false: ... where id = 1 and 1 = 2 and id > 42: Zero results would be returned Injecting true: ... where id = 1 or 1 = 1 and id > 42: All rows from the table would be returned. I don't understand why you say that "1 AND 1=1" wouldn't work, and "1 AND 1=1--" would. Cheers, -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
