Database error messages often contain information that you can use to
advance an attack. For example, they often disclose the query that generated
the error, enabling you to fine-tune a SQL injection attack:
Failed to retrieve row with statement - SELECT object_data FROM
deftr.tblobject WHERE object_id = ‘FDJE00012’ AND project_id = ‘FOO’ and
1=2--‘
See Chapter 9 for a detailed methodology describing
how to develop data-
base attacks and extract information based on error messages.
HACK STEPS
■
Do'stlaringiz bilan baham: