Fwd: RE: SQL-Injection escape ')'

From: Strcpy (elite_netbios_at_yahoo.com)
Date: 07/05/04

  • Next message: Fabrice MARIE: "Re: SQL-Injection escape ')'" 
    Date: Mon, 5 Jul 2004 00:12:20 -0700 (PDT)
To: pen-test@securityfocus.com

    I tried "/" too , nothing new :-/
    it`s goeing odd.
    while useing the string :
    A'\) select name from sysobjects where xtype='U'--

    I get the " extra ) " error message wich is correct:

    [Microsoft][ODBC Microsoft Access Driver] Extra ) in
    query expression 'city_name='Tehran' and
    (agency_english ='A'\) select name from sysobjects
    where xtype='U'--')'.

    and when I try to remove that extra ")" , and bypass
    the ')' , problem re-appear :

    [Microsoft][ODBC Microsoft Access Driver] Extra ) in
    query expression 'city_name='Tehran' and
    (agency_english ='A'\) select name from sysobjects
    where xtype='U' while ')'=')'.

    Still looking for your help.
    ANY comment is appriciated.

                    
    __________________________________
    Do you Yahoo!?
    New and Improved Yahoo! Mail - Send 10MB messages!
    http://promotions.yahoo.com/new_mail

    attached mail follows:

    Date: Mon, 5 Jul 2004 07:54:41 +0200
To: "Strcpy" <elite_netbios@yahoo.com>, <pen-test@securityfocus.com>

    Hi,

    We used to put '\' before using the special-characters. Try this:
    A'\) select name from sysobjects where xtype='U'--

    -----Original Message-----
    From: Strcpy [mailto:elite_netbios@yahoo.com]
    Sent: Saturday, July 03, 2004 5:46 PM
    To: pen-test@securityfocus.com
    Subject: SQL-Injection escape ')'

    Hi list .

    I`m working on a web-application for vulnerability
    assesments in order to complete a pen-test job.

    there is a vulnerable query there but I can`t escape
    it ad use it to go farther .
    the page script add a ')' to end of query string
    always.
    I tried to pass it by useing # or -- or ')'=')' at the
    end of my query strings , but non worked :/

    here is an example :
    i sent this :
    A') select name from sysobjects where xtype='U'--

    [Microsoft][ODBC Microsoft Access Driver] Syntax
    error. in query expression 'city_name='Tehran' and
    (agency_english ='A') select name from sysobjects
    where xtype='U'--')'

    would you mind please help me ?

    [sorry for poor English]

    thnq all

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - 50x more storage than other providers!
    http://promotions.yahoo.com/new_mail

  • Next message: Fabrice MARIE: "Re: SQL-Injection escape ')'"

    Relevant Pages

    • Fwd: RE: SQL-Injection escape )
      ... A'\) select name from sysobjects where xtype='U'-- ... Do You Yahoo!? ... the page script add a ')' to end of query string ...
      (Pen-Test)
    • Re: DoCmd.RunSQL Problem, please help!!!
      ... Syntax error in query expression ... > err.Description is a string, therefore needs quotes. ... > What exactly is the error message you're getting? ...
      (microsoft.public.access.formscoding)
    • Re: Error in Code, but I Cant Find It!
      ... Dim strWhere As String ... Dim strWhere2 As String ... Since the only query expression in your code is in the DMax ... when the IvSurvId field is Null. ...
      (microsoft.public.access.formscoding)
    • RE: SP Parameter
      ... create proc passing ... select * from sysobjects where name in (@inputPar) ... exec passing @string ...
      (microsoft.public.sqlserver.programming)
    • Re: Splitting the String
      ... CROSS JOIN sysobjects s2 ... DECLARE @Ids VARCHAR ... can anyone help me how can the splitting of the string is done. ...
      (microsoft.public.sqlserver.programming)