Penetration Testing mailing list archives
Re: SQL-Injection escape ')'
From: Strcpy <elite_netbios () yahoo com>
Date: Mon, 5 Jul 2004 02:19:25 -0700 (PDT)
Hi Tyler no , the system tables are not same . for example "sysobjects" in MS-SQL is equal to "Msysobjects" in MS-Access . but here it`s not our case . cus I`m in trouble to find the entry point . --- Tyler Durden <fadingreality414 () yahoo com> wrote:
I'm most likely wrong, but does MS Access Databases use the same syntax as SQL databases do? I'd look into that. --Oedipus --- Strcpy <elite_netbios () yahoo com> wrote:Hi list . I`m working on a web-application for vulnerability assesments in order to complete a pen-test job. there is a vulnerable query there but I can`tescapeit ad use it to go farther . the page script add a ')' to end of query string always. I tried to pass it by useing # or -- or ')'=')' at the end of my query strings , but non worked :/ here is an example : i sent this : A') select name from sysobjects where xtype='U'-- [Microsoft][ODBC Microsoft Access Driver] Syntax error. in query expression 'city_name='Tehran' and(agency_english ='A') select name from sysobjects where xtype='U'--')' would you mind please help me ? [sorry for poor English] thnq all __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than otherproviders!http://promotions.yahoo.com/new_mail__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Current thread:
- SQL-Injection escape ')' Strcpy (Jul 04)
- Re: SQL-Injection escape ')' Fabrice MARIE (Jul 05)
- Re: SQL-Injection escape ')' Thor (Jul 05)
- Re: SQL-Injection escape ')' nummish (Jul 05)
- Re: SQL-Injection escape ')' Roman Medina (Jul 06)
- <Possible follow-ups>
- Fwd: RE: SQL-Injection escape ')' Strcpy (Jul 05)
- Fwd: RE: SQL-Injection escape ')' Strcpy (Jul 05)
- Re: SQL-Injection escape ')' Strcpy (Jul 05)
- RE: SQL-Injection escape ')' Esmat, Ayman (ISS Middle East) (Jul 05)