Donate to us via Paypal!
I'd prefer to die standing, than to live on my knees - Che Guevara
Friday, October 30, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 123
Guests Online: 118
Members Online: 5

Registered Members: 129511
Newest Member: katty111
Latest Articles

View Thread

HellBound Hackers | Computer General | Web hacking

Author

sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-08-07 01:11
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'user_namexxx='' or a=a--''.

/webrecruit/includes/dataconn.asp, line 17 this is my error but I dont see no group by clause. My question Is this exploitable using sum?
Author

RE: sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-08-07 01:52
google 'advanced sql injection' there is an article that is "very useful" in completing this challenge :happy:

[edit]
oop nevermind i thought you were workin on like basic 21. the article still might be useful tho.
[/edit]




Edited by on 17-08-07 01:54
Author

RE: sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-08-07 03:05
yes, that's exploitable. Just play around with syntax until you get something that doesn't yell at you.


Author

RE: sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-08-07 09:45
:right: i dont think that's about a challenge.
what you might want to do first,is get some existing table names...
you can query the db,make it spit an error,including the first table name,
then the second,etc...till you think you have enough...

most of the times something like this:


select top 1 table_name from information_schema.tables-


will work.




Edited by on 23-08-07 10:03
Author

RE: sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-08-07 12:30
darksun wrote:
:right: i dont think that's about a challenge.
what you might want to do first,is get some existing table names...
you can query the db,make it spit an error,including the first table name,
then the second,etc...till you think you have enough...

most of the times something like this:


select top 1 table_name from information_schema.tables-


will work.


I never said it was, in fact, the fact that it's an MS-SQL database makes it obvious it isn't. I think he needs help with finding out how to get other commands to inject properly, not help with what commands to inject.