!! I started to code a w3af extension to detect blind sql injections this !! way, and I realized that CONCAT only works on mysql (doh! , that
are you sure? IIRC MySQL 3.x does not support CONCAT. !! http://some.tld/?id=1+1-1 And here we ask how + was encoded and what the application assumed it to be. Strictly looking at RFC it would become a space, but applications decode the + here to itself too, sometimes .. Just keep in mind, and probably test both variants. !! BUT the problem is that you don't really know if the second "No !! results" is because of a successful SQL injection where the concat was !! evaluated, or just because the data was validated and there is no !! "CONCAT(\'spam.\',\'eggs\')" in the search table. Are my ideas ok? Did !! I just found the only case where the technique will fail and I should !! code it disregarding this false positive generation issue? What do you !! guys think? difficult. That's 'cause the Subject: says *Blind SQL Injection* :) You have to find a value first which returns a result, then you can use concat() to test the injection. It's the other way around as you described it, somehow: Search: something --> got a result Search: concat('some','thing') --> same result ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
