Penetration Testing mailing list archives
Re: SQL-Injection escape ')'
From: nummish <nummish () gmail com>
Date: Mon, 5 Jul 2004 10:44:38 -0400
I don't have a solution for you, but part of the problem you are facing is that you don't seem to be testing against a SQL Server database. afaik MS Access (gathering that from the ODBC Error message) doesn't support comments in Jet SQL. This means # or -- aren't going to get you further than the syntax error you keep seeing. Another thing, since you are trying to exploit a MS Access database, you aren't going to have any luck reading the SysObjects table. MS Access uses a MSysObjects table instead. Good luck with the remainder of the test. On Sat, 3 Jul 2004 07:45:36 -0700 (PDT), Strcpy <elite_netbios () yahoo com> wrote:
I tried to pass it by useing # or -- or ')'=')' at the end of my query strings , but non worked :/
A') select name from sysobjects where xtype='U'-- [Microsoft][ODBC Microsoft Access Driver] Syntax error. in query expression 'city_name='Tehran' and (agency_english ='A') select name from sysobjects where xtype='U'--')'
- nummish -- Bigger 1:23 0x90.org
Current thread:
- SQL-Injection escape ')' Strcpy (Jul 04)
- Re: SQL-Injection escape ')' Fabrice MARIE (Jul 05)
- Re: SQL-Injection escape ')' Thor (Jul 05)
- Re: SQL-Injection escape ')' nummish (Jul 05)
- Re: SQL-Injection escape ')' Roman Medina (Jul 06)
- <Possible follow-ups>
- Fwd: RE: SQL-Injection escape ')' Strcpy (Jul 05)
- Fwd: RE: SQL-Injection escape ')' Strcpy (Jul 05)
- Re: SQL-Injection escape ')' Strcpy (Jul 05)
- RE: SQL-Injection escape ')' Esmat, Ayman (ISS Middle East) (Jul 05)