Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

RE: sql injection with order by
From: "Ernest Nelson" <juridian () juridian com>
Date: Fri, 8 Apr 2005 15:30:06 -0700
Adding the '--' comments out everything after the sql you're putting in.  It
won't work without it because you are getting a syntax error on what you are
trying to run.

-----Original Message-----
From: dietf dietf [mailto:dietf () yahoo com] 
Sent: Thursday, April 07, 2005 8:52 PM
To: pen-test () securityfocus com
Subject: sql injection with order by



Hi all,
I am trying to make an injection with the statement below,

SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
CusID='%Customer%' ORDER BY Sira, ProjeTurID"

in the statement above I inject ")select @@version-- for the variable
Customer. But unless I have ended inject code with -- nothing happens.
I get
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
FirmaID=")select @@version-- ORDER BY Sira, ProjeTurID"
what is the problem? can anybody tell me?
Is the problem occurs from the word ORDER BY?
Thanks

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]