WebApp Sec mailing list archives
RE: sql comment in access
From: "Mark Atherton" <matherton () pba co uk>
Date: Mon, 23 Jan 2006 13:55:33 -0000
Im pretty sure you can do comments in access sql, just use -- before the string and it comments everything after it Mark Atherton IT Developer Peter Brett Associates -----Original Message----- From: John Bond [mailto:john.r.bond () gmail com] Sent: 23 January 2006 13:31 To: Robin Wood Cc: webappsec () securityfocus com Subject: Re: sql comment in access On 20/01/06, Robin Wood <dninja () gmail com> wrote:
Hi I'm trying to get sql injection working against a access db. I've tried the standard -- as a comment and I've also tried %0A and %0D
I belive that comments arn't possible in access. can you chain two commands together e.g. ?user=q'%20or%20'a'='a';select%20count(*)%20from%20login%20where%20usern ame='a&pass=a would produce select * from login where username='q' or 'a'='a'; select count(*) from login where username='a' and password='a'; ------------------------------------------------------------------------ - This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh ------------------------------------------------------------------------ -- Visit our new website at: http://www.pba.co.uk ********************************************************************** Email is used as a convenient medium for rapid data transfer. Any contractual correspondence sent or received by email will not be held to be such unless and until it is received in writing by a Fax or Letter. Likewise file attachments must be treated as uncontrolled documents until issued as hard copy. This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If an addressing or transmission error has misdirected this email please notify the author by replying to this email and delete the email. If you are not the intended recipient you must not use or disclose, print or rely on this email. Any OS Data attached to this email is issued in accordance with Licence No. 100017583 under condition that it is used to plot once and not retained on the recipients computer system. The Partnership accepts no liability for the contents of emails unconnected with the affairs of the firm or its clients. This footnote also confirms that this email message has been swept by MailSweeper using Sophos Anti-Virus software for the presence of computer viruses, but PBA cannot accept liability for any damage which you sustain as a result of software viruses. www.mimesweeper.com ********************************************************************** ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- sql comment in access Robin Wood (Jan 20)
- Re: sql comment in access John Bond (Jan 23)
- Message not available
- Re: sql comment in access John Bond (Jan 23)
- Message not available
- Re: sql comment in access John Bond (Jan 23)
- <Possible follow-ups>
- sql comment in access Robin Wood (Jan 21)
- Re: sql comment in access Chuck (Jan 22)
- RE: sql comment in access Mark Atherton (Jan 23)
- Re: sql comment in access Robin Wood (Jan 23)