It looks like you're new here. If you want to get involved, click one of these buttons!
a_tek7 said:[quote="a_tec7"]I was testing a website and by adding a little ' at the end ofasp?id=23'I found the following error:Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'id like '%23'%''. /fa/articlev.asp, line 20 ... [/quote]Look at the error. It's saying: " 'id like '%23'%' ". The single quotes at both ends of that statement mean nothing. It's the '%23'%' in the middle you should be concerned about. The highlighted part is your input. Look at it closely. What caused the syntax error? This is where your vulnerability lies. First, figure out what % means so you have an idea what's going on here. Looking at this error, I can already think of several ways to exploit this.
I 've been very busy these days to see my post again
@ Mr.P-teo: thank you for links. I looked over those docs now and sounds great bro, thanks. I will peruse them soon. If you have the 3rd part please upload it. When author gets arrested? It seems the document is written recently :D
"Also, most common versions of Microsoft SQL Server are 2005 & 2008. The 2012 one has just been released 1 month ago, so it's not really used at the moment." :D
@Null Set: thanks for comment.As I already mentioned I' m newbie and what I know, obviously a little, about sql injection is based on MySQL database and I've never had an experience on MSSQL. I used google and I found out that % specifies special characters. but I did not understand what you mean about several ways of exploiting this data base. can u clarify it please?
Mr. P-teo said:Yer MSSQL is bad for tutorials but my friend wrote thesePart One: http://www.mediafire.com/view/?wl87fi4ccybqta0Part Two: http://www.mediafire.com/view/?00olvjcjspxk5gbShame he got arrested, he was one of the best web-hackers i knew.
Yer MSSQL is bad for tutorials but my friend wrote thesePart One: http://www.mediafire.com/view/?wl87fi4ccybqta0Part Two: http://www.mediafire.com/view/?00olvjcjspxk5gbShame he got arrested, he was one of the best web-hackers i knew.
Mr. P-teo said:
Mr. P-teo said:I guess he is back now man...
I guess he is back now man...