| Author |
Don't bother reading. Shouldn't have even asked. |
jghgjb790
Member
Posts: 24
Location:
Joined: 20.06.10
Rank: Hacker Level 1 |
|
I'm new to MySQL. I'm pen-testing a site for a friend, and I just can't get the syntax right to view these listings that are supposed to be hidden. Anyone want to help? I've got:
SELECT listing.id, dealer.display FROM (listing,dealer)
WHERE dealer.display='on' AND hide != 'true'
AND dealer.id=listing.dealer_id
AND listing.make='/*begin injection*/'Acura'
AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r'))
OR 'g'='r /*end injection*/ '
AND listing.model='anythinghere'
Edited by jghgjb790 on 12-07-10 03:10 |
 
|
| Author |
RE: MySQL syntax? |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
|
jghgjb790 wrote:
I'm new to MySQL. I'm pen-testing a site for a friend,
Stopped reading -right- there.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: MySQL syntax? |
stealth-
Member
Posts: 995
Location: Eh?
Joined: 10.04.09
Rank: God |
|
I'm surprised people keep thinking someone is going to fall for something *that* obvious.
Come on, at least get a little creative, guys?
The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealth-x.com |
|
|
| Author |
RE: MySQL syntax? |
jghgjb790
Member
Posts: 24
Location:
Joined: 20.06.10
Rank: Hacker Level 1 |
|
Okay, fine. The father of one of my friends. But w/e. I already showed him an XSS-able input form... I'm totally serious. Don't believe me if you don't want to, but help with the syntax please?
Also, updated code I'm trying.
Here's the output.
A Database Error Occurred
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1'
at line 3
SELECT listing.id, dealer.display FROM (listing,dealer) WHERE dealer.display='on' AND hide != 'true' AND dealer.id=listing.dealer_id AND listing.make='Acura' AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1901' AND listing.mileage >=0
Edited by jghgjb790 on 11-07-10 23:29 |
|
|
| Author |
RE: MySQL syntax? |
spyware
Member
Posts: 4190
Location: The Netherlands
Joined: 14.04.07
Rank: God
Warn Level: 90
|
|
I didn't help you because you're obviously a security novice and yet insist on "helping" people.
"The chowner of property." - Zeph Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term. - Carl Sagan Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor? - Ebert |
|
|
| Author |
RE: RTFM |
outis
Member
Posts: 14
Location:
Joined: 01.05.08
Rank: Mad User |
|
|
You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up. |
|
|
| Author |
RE: MySQL syntax? |
jghgjb790
Member
Posts: 24
Location:
Joined: 20.06.10
Rank: Hacker Level 1 |
|
outis wrote:
You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up.
Yeah... I'm sorry for even posting this now. I'm going to bookmark that, and do all those steps before asking. Lesson learned! Thanks for your time! |
|
|
| Author |
RE: Don't bother reading. Shouldn't have even asked. |
jghgjb790
Member
Posts: 24
Location:
Joined: 20.06.10
Rank: Hacker Level 1 |
|
|
MoshBat wrote:
You could learn MySQL, and then injections.
Or maybe I'm overestimating you.
Well, I've learned 3 "real" languages pretty well, and I've experimented with that game maker crap. So, idk... Don't do game maker, kids! |
|
|
| Author |
RE: Don't bother reading. Shouldn't have even asked. |
fuser
Member
Posts: 959
Location: in front of a computer (duh)
Joined: 05.04.07
Rank: HBH Guru |
|
|
a-hack wrote:
Well, I've learned 3 "real" languages pretty well
And they are?[/quote]
html, english, and L337 5P34|<  [/quote]
Fail. Utter fail.
Telling modern Internet users to stop whining is like telling them to stop breathing it seems unrealistic and inhumane. Paul Lutus
|
|
Main:
