Timeline for How to get the output of a SQL injection?
Current License: CC BY-SA 3.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 9, 2013 at 21:20 | comment | added | DarkMantis | Oh sure, there are a lot of features in SQLMap that I couldn't do manually without reading up on the source code or taking a long time to investigate what's going on, but as long as you take the effort to learn and at least know the common injection techniques, that is a good start. | |
| Oct 9, 2013 at 21:18 | comment | added | Abe Miessler | I see your point. I also think that it's ok to use a tool when you don't understand 100% of how it works as long as you continue to try and understand it... I have the sqlmap source on my machine and when I am feeling adventurous I do poke around in it (and I have learned by doing that). | |
| Oct 9, 2013 at 21:10 | comment | added | DarkMantis |
Tbh in my opinion you shouldn't really use a tool without knowing what it does, for example, did you know that SQLMap spams the logs with requests from "{SOME IP} - Location - Time - (SQLMap)" or similar. Also, your injection technique there is incorrect, it would have to be search=blah' UNION ALL SELECT username, password USERS LIMIT 0,1;#'rest-of-query. Good explanation though :)
|
|
| Oct 9, 2013 at 20:44 | history | answered | Abe Miessler | CC BY-SA 3.0 |