I am back again with another question regarding dvwa, I've upgraded to MsSQL 2005 this time, and I have another set of questions. I don't understand a couple of things.
I would like for some kind individual to make it clear to me.
So basically, as usual - my goal is to obtain all databases from the DVWA, as well as escalate to the admin panel using manual injection techniques.
What I have so far is the database, but I am getting a little confused with the change in syntax. I asked the server to get the databases, and it returned me with the first database. My query is as follows:
+
and+1=
convert
(
int,db_name()
)
--
My first question is - how can I edit this query so that I will be able to see all the databases, because from my knowledge, this query only drops the 1st database in the SQL data. Okay, my second question is, the first database that was dropped was "information", when I looked for the tables using this query:
+
and+1=
convert
(
int,
(
select+top+1+table_name+from+information_schema.tables
)
)
--
It returned the first table of that database. Firstly, lets say I have more than the first database, how can I change this query to get the tables for whatever that database name would be. Secondly, the table it returned was tbl_info_id.
Take note, the server is running IIS 6.0, on coldfusion.
As I am aware, to request the next table from that database I would have to create a query such as this one:
+
and+1=
convert
(
int,
(
select+top+1+table_name+from+
information_schema.tables+where+table_name+not+in('tbl_info_id')
)
)
--
How come when I write it, the server responds with:
[SQLServer]Incorrect syntax near 'tbl_info_id'.
That's all, if anyone can explain all this to me, it would be greatly appreciated! Cheers.