SQL Injection
From: Alex Harasic (aharasic@terra.cl)Date: 02/20/02
- Previous message: Kevin Spett: "Re: Table enumeration"
- Next in thread: Kevin Spett: "Re: SQL Injection"
- Reply: Kevin Spett: "Re: SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Feb 2002 15:54:16 -0000 From: Alex Harasic <aharasic@terra.cl> To: pen-test@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi, I was trying SQL Injection things and I ran into the
following problem:
http://www.targethost.com/test.asp?pm=')
And I get the following results:
Microsoft VBScript runtime error '800a000d'
Type mismatch: '[string: "'"]'
D:\WEBROOT\..\..\include\ConstantesDNAfs.inc,
line 53
Ok. Besides the Path Disclosure problem, I'm trying
to build a SQL Query but it seems the server won't
let me pass quotes ( ' ) to it.
If instead of sending ') as a parameter I just put a ', it
brings me back to the start page.
Is there any way to bypass this type mismatch
thing?, I could make sql queries work with other .asp
but not this one..
Alex S. Harasic
aharasic@terra.cl
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Kevin Spett: "Re: Table enumeration"
- Next in thread: Kevin Spett: "Re: SQL Injection"
- Reply: Kevin Spett: "Re: SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
