WebApp Sec mailing list archives
Re: sql comment in access
From: John Bond <john.r.bond () gmail com>
Date: Mon, 23 Jan 2006 13:30:41 +0000
On 20/01/06, Robin Wood <dninja () gmail com> wrote:
Hi I'm trying to get sql injection working against a access db. I've tried the standard -- as a comment and I've also tried %0A and %0D
I belive that comments arn't possible in access. can you chain two commands together e.g. ?user=q'%20or%20'a'='a';select%20count(*)%20from%20login%20where%20username='a&pass=a would produce select * from login where username='q' or 'a'='a'; select count(*) from login where username='a' and password='a'; ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- sql comment in access Robin Wood (Jan 20)
- Re: sql comment in access John Bond (Jan 23)
- Message not available
- Re: sql comment in access John Bond (Jan 23)
- Message not available
- Re: sql comment in access John Bond (Jan 23)
- <Possible follow-ups>
- sql comment in access Robin Wood (Jan 21)
- Re: sql comment in access Chuck (Jan 22)
- RE: sql comment in access Mark Atherton (Jan 23)
- Re: sql comment in access Robin Wood (Jan 23)