The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

DUAL

‘ UNION SELECT NULL FROM DUAL--

When you have identified the number of columns required in your injected

query, and have found a column which has a string data type, you are in a

position to extract arbitrary data. A simple proof-of-concept test is to extract

the version string of the database, which can be done on any DBMS. For exam-

ple, if there are three columns, and the first column can take string data, you

can extract the database version by injecting the following query on MS-SQL

and MySQL:

‘ UNION SELECT @@version,NULL,NULL--

70779c09.qxd:WileyRed  9/14/07  3:13 PM  Page 254

Injecting the following query will achieve the same result on Oracle:

‘ UNION SELECT banner,NULL,NULL FROM v$version--

In the example of the vulnerable book search application, we can use this

string as a search term to retrieve the version of the Oracle database:

Download 5,76 Mb.

Do'stlaringiz bilan baham: