Hi Roman,
Is there any recommended tool which helps to get databases tables, entries, structure, etc, given a particular SQL injection bug in one application? I mean, it should *automatically* try different sentences to figure out the names of the columns and in general, other useful info from the database. Perhaps a PoC of some of NGSSoftware's papers or a more elaborated tool...
I've just put up sqlinjector.zip on the databasesecurity.com website ( http://www.databasesecurity.com/webapplications.htm ). This is the tool (source and exe) you refer to. I never got around to completing it but it works as is - I'd rather the code was tidier.
HTH, David _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
