The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

test provides no evidence of a vulnerability

Download 5,76 Mb.

Pdf ko'rish

bet	443/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 439 440 441 442 443 444 445 446 ... 875

Bog'liq
3794 1008 4334

test provides no evidence of a vulnerability.

■

If the first test is successful, you can obtain further evidence of the vul-

nerability by using more complicated expressions which use SQL-specific

keywords and syntax. A good example of this is the ASCII command,

which returns the numeric ASCII code of the supplied character. For

example, because the ASCII value of A is 65, the following expression is

equivalent to 2 in SQL:

67-ASCII(‘A’)

■

The previous test will not work if single quotes are being filtered; how-

ever in this situation you can exploit the fact that databases will implic-

itly convert numeric data to string data where required. Hence, because

the ASCII value of the character 1 is 49, the following expression is equiv-

alent to 2 in SQL:

51-ASCII(1)

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 246

T I P

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 439 440 441 442 443 444 445 446 ... 875