WebApp Sec mailing list archives

SQL Injection Basics

From: raul.johhut () hushmail com
Date: Sat, 8 Feb 2003 17:21:47 -0800


I am pen testing a webapp and am having some problems with SQL injection. 

The app creates an ODBC error. Is this a garuntee of SQL Injection ?

If I use www.victim/test.asp?userid=sfdsd

the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case).

I know the database is called master, and has a table test. What is the syntax I should use ?

What are the best freeware and open source tools for testing SQL injection ? I tried WPosion which was OK.

I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that 
the SQL plugin has to connect directly to the database to work ? I can only see port 80 so don't think this will work ?

Thanks, Raul.



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Current thread:

SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
  - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - Re: SQL Injection Basics Dave Aitel (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)

(Thread continues...)