WebApp Sec mailing list archives

Re: SQL njection 2

From: Juan Carlos Reyes Muñoz <jcreyes () 007mundo com>
Date: Sun, 20 Apr 2003 14:25:16 -0500

Most of the sql sentences can be issued via UNION clause, the matter isthat you must know how many columns the first sentence is looking forand put an equal number of columns on the UNION side.

In fact, many sentences can be issued when you put "' UNION <newsentence> --" (whitout the initial an ending quotes).


You can try the insert in that way ;)


jcr

falcifer wrote:

how can i insert an isert command in a sql sentence that looks like
select * from parameter???

the database is access and when i try to insert something like

pameter=table;insert%20into%20clientes(uspw,pwus)%20values('j','j')

the ODBC returns this error

error '80040e14'

[Microsoft][Controlador ODBC Microsoft Access] Se encontraron caracteres

después del final de la instrucción SQL.


/visornew.asp, line 10

it means: "there are characteres after the the sql sentence"

Current thread:

SQL njection 2 falcifer (Apr 20)
- Re: SQL njection 2 Juan Carlos Reyes Muñoz (Apr 20)
- <Possible follow-ups>
- RE: SQL njection 2 Calderon, Juan C (CORP, DDEMESIS) (Apr 21)