List,<br><br> I'm doing a pentest on a website that uses informix web datablade and found a sql injection point. I have been able to use the webexplode() stored procedure to execute any SQL commands, and also operating system commands using SYSTEM. The problem I have is that SYSTEM doesnt return the execution result(its a procedure, not a function), so I have to save them to a file; for example : SYSTEM 'ls /etc/ > /tmp/result' and then read that file... the problem is... how do i read that file ? I have tried with "load from ..." and it fails with a sintax error, and on the other side, when I use FILETOCLOB('/tmp/result','server') i dont know how to get the contents of the CLOB... anyone knows something informix ?
<br><br>Cheers,<br clear="all"><br>-- <br>Joshua Tagnore