RE: sql injection with order by
From: Ernest Nelson (juridian_at_juridian.com)
Date: 04/09/05
- Previous message: szynkro_at_gmail.com: "Rogue AP Wireless on Windows/Linux"
- In reply to: dietf dietf: "sql injection with order by"
- Next in thread: Chitresh Sen: "Re: sql injection with order by"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'dietf dietf'" <dietf@yahoo.com>, <pen-test@securityfocus.com> Date: Fri, 8 Apr 2005 15:30:06 -0700
Adding the '--' comments out everything after the sql you're putting in. It
won't work without it because you are getting a syntax error on what you are
trying to run.
-----Original Message-----
From: dietf dietf [mailto:dietf@yahoo.com]
Sent: Thursday, April 07, 2005 8:52 PM
To: pen-test@securityfocus.com
Subject: sql injection with order by
Hi all,
I am trying to make an injection with the statement below,
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
CusID='%Customer%' ORDER BY Sira, ProjeTurID"
in the statement above I inject ")select @@version-- for the variable
Customer. But unless I have ended inject code with -- nothing happens.
I get
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
FirmaID=")select @@version-- ORDER BY Sira, ProjeTurID"
what is the problem? can anybody tell me?
Is the problem occurs from the word ORDER BY?
Thanks
- Previous message: szynkro_at_gmail.com: "Rogue AP Wireless on Windows/Linux"
- In reply to: dietf dietf: "sql injection with order by"
- Next in thread: Chitresh Sen: "Re: sql injection with order by"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
