Re: SQL-Injection escape ')'

From: Strcpy (elite_netbios_at_yahoo.com)
Date: 07/05/04

Next message: Strcpy: "Fwd: RE: SQL-Injection escape ')'"

Previous message: Thor: "Re: SQL-Injection escape ')'"
Maybe in reply to: Strcpy: "SQL-Injection escape ')'"
Next in thread: Fabrice MARIE: "Re: SQL-Injection escape ')'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 5 Jul 2004 02:19:25 -0700 (PDT)
To: pen-test@securityfocus.com

Hi Tyler

no , the system tables are not same .
for example "sysobjects" in MS-SQL is equal to
"Msysobjects" in MS-Access .
but here it`s not our case . cus I`m in trouble to
find the entry point .

--- Tyler Durden <fadingreality414@yahoo.com> wrote:
> I'm most likely wrong, but does MS Access Databases
> use the same syntax as SQL databases do?
>
>
> I'd look into that.
>
> --Oedipus
>
>
>
>
> --- Strcpy <elite_netbios@yahoo.com> wrote:
> > Hi list .
> >
> > I`m working on a web-application for vulnerability
> > assesments in order to complete a pen-test job.
> >
> > there is a vulnerable query there but I can`t
> escape
> > it ad use it to go farther .
> > the page script add a ')' to end of query string
> > always.
> > I tried to pass it by useing # or -- or ')'=')' at
> > the
> > end of my query strings , but non worked :/
> >
> > here is an example :
> > i sent this :
> > A') select name from sysobjects where xtype='U'--
> >
> >
> > [Microsoft][ODBC Microsoft Access Driver] Syntax
> > error. in query e
> xpression 'city_name='Tehran' and
> > (agency_english ='A') select name from sysobjects
> > where xtype='U'--')'
> >
> > would you mind please help me ?
> >
> > [sorry for poor English]
> >
> > thnq all
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other
> providers!
> > http://promotions.yahoo.com/new_mail
> >
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
>

__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

Next message: Strcpy: "Fwd: RE: SQL-Injection escape ')'"

Previous message: Thor: "Re: SQL-Injection escape ')'"
Maybe in reply to: Strcpy: "SQL-Injection escape ')'"
Next in thread: Fabrice MARIE: "Re: SQL-Injection escape ')'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]