I have a simple web application in asp with SQL Server back end database. The login page has an injection point and I am able to bypass the login by the usual ` ' OR 1=1 '. Now I was able to enumerate the columns in the database using GROUP BY and HAVING statements. I was able to enumerate the information in the error thrown at me.
` ' or '1' = '1' GROUP BY tblCustomers.cust_id, tblCustomers.cust_name, tblCustomers.cust_password, tblCustomers.cust_account
HAVING 1=1 -- `
I am in the learning phase and I found out that the cust_id
, cust_name
, cust_password
, cust_account
are the columns and tblCustomers
is the table name.
I am also able to use AND statements along with the convert function to enumerate some information. The command I used is ' or '1' = '1' and 1 =convert(int,@@version)--
and again I am able to get the information in the errors.
Now, how can I dump the entries in the database to know at least the customer name and password? I tried stack queries separated by semicolon but after executing the first query i.e ' OR 1=1 I just log in and cant see any output as theirs no other parameter, I cannot output it anywhere else on the page( there is no parameters and theirs just a blank page after i login). UNION SELECT is not working as I am not able to guess the first SELECT statement and its exits. Any functions that can help me dump the customer names and password?
I'll really appreciate any help with this. Thanks.