Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL-Injection escape ')'

From: Strcpy <elite_netbios () yahoo com>
Date: Mon, 5 Jul 2004 02:19:25 -0700 (PDT)
Hi Tyler

no , the system tables are not same .
for example "sysobjects" in MS-SQL is equal to
"Msysobjects" in MS-Access .
but here it`s not our case . cus I`m in trouble to
find the entry point . 

--- Tyler Durden <fadingreality414 () yahoo com> wrote:

I'm most likely wrong, but does MS Access Databases
use the same syntax as SQL databases do?


I'd look into that.

--Oedipus




--- Strcpy <elite_netbios () yahoo com> wrote:

Hi list .

I`m working on a web-application for vulnerability
assesments in order to complete a pen-test job.

there is a vulnerable query there but I can`t

escape

it ad use it to go farther .
the page script add a ')' to end of query string
always.
I tried to pass it by useing # or -- or ')'=')' at
the
end of my query strings , but non worked :/

here is an example :
i sent this :
A') select name from sysobjects where xtype='U'--


[Microsoft][ODBC Microsoft Access Driver] Syntax
error. in query e

xpression 'city_name='Tehran' and

(agency_english ='A') select name from sysobjects
where xtype='U'--')' 

would you mind please help me ?

[sorry for poor English]

thnq all




            
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other

providers!

http://promotions.yahoo.com/new_mail





      
              
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 





                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
Previous By Date Next
Previous By Thread Next

Current thread: