Penetration Testing mailing list archives
JET sql help please anyone
From: "Gary O'leary-Steele" <GaryO () sec-1 com>
Date: Fri, 30 Nov 2001 12:07:14 -0000
hello all, I am performing a pen test against a IIS server which uses Microsoft jet to contact a database. I tried the usual stuff such as ' in the various fields and received a promising error Microsoft JET Database Engine error '80040e14' Syntax error in string in query expression '((User.UserCurrent)=True) AND (User.UserId = ''') ORDER BY user.Name'. /blah/blahbalh/search.asp, line 66 And then tried ')OR |shell("dir")|; and got Microsoft JET Database Engine error '80040e14' Invalid use of vertical bars in query expression '((user.userCurrent)=True) AND (user.userId = '')OR |shell("dir")|'. /blah/blahbalh/search.asp, line 66 So i tried admin' ); master..xp_cmdshell("dir");-- And received Microsoft JET Database Engine error '80040e14' Characters found after end of SQL statement. /blah/blahbalh/search.asp, line 66 various other errors occurred during the test such as Microsoft JET Database Engine error '80040e14' Invalid SQL statement; expected 'DELETE', 'INSERT', 'PROCEDURE', 'SELECT', or 'UPDATE'. Any ideas? Regards, Gary ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- JET sql help please anyone Gary O'leary-Steele (Nov 30)
- Re: JET sql help please anyone Kevin Spett (Nov 30)