Home page logo

pen-test logo Penetration Testing mailing list archives

MS SQL injection
From: "Mike Klingler" <whitehatguru () gmail com>
Date: Thu, 21 Sep 2006 09:02:52 -0500

   I have a basic understanding of sql injection for ms sql, but on
this recent pen test the methods I have used in the past aren't
cutting it.

I was able to enumerate the table name and columns utilizing the '
having 1=1;-- and ' group by x,x,x,x having 1=1;--, but once I got all
of the column names on the group by list it issued the following error
instead of returning without an error.  "Microsoft][ODBC SQL Server
Driver][SQL Server]Unclosed quotation mark before the character string
' '."  Any ideas on what I need me to do to overcome this problem?

Thanks guys

Michael Klingler, CISSP
SecurityMetrics Penetration Tester

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
  • MS SQL injection Mike Klingler (Sep 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]