And what's the original sqlmap command you used?
Bye
On Wed, Dec 3, 2014 at 1:39 PM, Harry Acker
wrote:
> I'm testing an app which I've confirmed is running Oracle and has
> injection into the order by field.
>
> http://xxx/test?order=id
>
> id is a direct mapping to the database column name. I
I'm testing an app which I've confirmed is running Oracle and has injection
into the order by field.
http://xxx/test?order=id
id is a direct mapping to the database column name. I confirmed injection
with the following:
http://xxx/test?order=%28select%20%27id%27%20from%20dual%29
The site return
