Wednesday, June 14, 2017

Numeric SQL Injection

Numeric SQL Injection

Task



Now we need to know the admins(Neville) user ID. To find it,  Start tamper data and check the employee id. this is what I can see.



Now I know the admins user id.

After that we can loging as normal user


then we can see below  screen.




In view profile below are the parameters what I can see.






Now we can try and chage the employee_id data.

If I change it to 112. Not sucessfull.

After that we can use 101 or 1=1 this is sucessfull but we can get only Larryers data no the admins data.

In third try, use 101 or 1=1 order by employee_id desc