Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL-Injection escape ')'

From: nummish <nummish () gmail com>
Date: Mon, 5 Jul 2004 10:44:38 -0400
I don't have a solution for you, but part of the problem you are
facing is that you don't seem to be testing against a SQL Server
database.

afaik MS Access (gathering that from the ODBC Error message)  doesn't
support comments in Jet SQL. This means # or -- aren't going to get
you further than the syntax error you keep seeing.

Another thing, since you are trying to exploit a MS Access database,
you aren't going to have any luck reading the SysObjects table. MS
Access uses a MSysObjects table instead.

Good luck with the remainder of the test.

On Sat, 3 Jul 2004 07:45:36 -0700 (PDT), Strcpy <elite_netbios () yahoo com> wrote:

I tried to pass it by useing # or -- or ')'=')' at the
end of my query strings , but non worked :/



A') select name from sysobjects where xtype='U'--

[Microsoft][ODBC Microsoft Access Driver] Syntax
error. in query expression 'city_name='Tehran' and
(agency_english ='A') select name from sysobjects
where xtype='U'--')'


- nummish

-- 
Bigger 1:23
0x90.org
Previous By Date Next
Previous By Thread Next

Current thread: