When testing sql injection with this command:
I am getting this error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'UNION'.
/productdisplay.asp, line 36
I have tried adding a quotation mark before UNION, but get another error message on unclosed quotation marks. What I think I should be aiming for is to get the "must have equal expression of target sites" error message. Can anyone help me out?
March 30th, 2008, 09:24 PM
Well I can tell you that I highly doubt they are using columns named 1 and 2. Thats what you are telling it to do :-P
March 30th, 2008, 11:36 PM
Yeah i know that, but I'm expecting to get the "must have equal number of expressions" error message. Then just add numbers 3,4,5.... until there's no error message.Then I'll substitute in column names after that.
March 31st, 2008, 12:43 AM
Im saying what you are essentially doing is writing a query that says:
SELECT 1,2 FROM users
but it need to look like:
Select CollumnNameA,CollumnNameB From Users where UserID = 1,2
March 31st, 2008, 02:10 PM
Not necessarily, the only thing that matters is that the # of columns matches and that the type is correct...
If I had to guess I'd say there is possibly an issue with a quote somewhere...the other thing that looks odd is the negative product number...are you sure that isn't wigging it out?
March 31st, 2008, 02:43 PM
yeah i just added the -1 because I've noticed in the past that it normally works, but I tried without the negative and its the same error.
March 31st, 2008, 02:50 PM
My best guess would be something to the effect of :