From: Thor (thor@hammerofgod.com)
Date: Sun Jul 04 2004 - 22:39:33 EDT
Have you tried a semicolon to separate commands? The concatenated string is
ending in "A')" so you'd want to use a ";" behind it to have the engine
interpret a different command set. Of course, that actually is a different
returned recordset, and may make the web app puke on you... "UNION SELECT"
is better in those cases where the app dev is expecting a single recordset
object as in "set adodbRecordSetObject = SQL"
hth
t
----- Original Message -----
From: "Strcpy" <elite_netbios@yahoo.com>
To: <pen-test@securityfocus.com>
Sent: Saturday, July 03, 2004 7:45 AM
Subject: SQL-Injection escape ')'
> Hi list .
>
> I`m working on a web-application for vulnerability
> assesments in order to complete a pen-test job.
>
> there is a vulnerable query there but I can`t escape
> it ad use it to go farther .
> the page script add a ')' to end of query string
> always.
> I tried to pass it by useing # or -- or ')'=')' at the
> end of my query strings , but non worked :/
>
> here is an example :
> i sent this :
> A') select name from sysobjects where xtype='U'--
>
>
> [Microsoft][ODBC Microsoft Access Driver] Syntax
> error. in query expression 'city_name='Tehran' and
> (agency_english ='A') select name from sysobjects
> where xtype='U'--')'
>
> would you mind please help me ?
>
> [sorry for poor English]
>
> thnq all
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT