 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
does this mean its a SQL injection |
 |
 Posted: Sat Mar 01, 2008 3:30 am |
 |
|
| theface |
| Active user |
 |
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
 |
|
 |
|
when i go to
| Code: | | http://www.site.com/index.php?categoryid=5' |
i am getting this error
| Code: | Database error in Subdreamer
Invalid SQL: INSERT INTO sd_syslog (username, type, message, severity, location, referer, hostname, timestamp)
VALUES ('', 'php', 'warning: fopen(./plugins/p29_simple_counter/log.txt) [<a href=\'function.fopen\'>function.fopen</a>]: failed to open stream: Permission denied in /home/user/public_html/plugins/p29_simple_counter/p29_simple_counter.php on line 15.', '1', '/index.php?categoryid=5'', '', '64.185.154.33', 1204341950)
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '64.185.154.33', 1204341950)' at line 2
Error number: 1064
Date: Saturday 01st 2008f March 2008 03:25:50 AM
File: http://www.site.com/index.php |
does it mean SQL injection is possible ? if yes how do i test this? |
|
|
|
|
|
|
|
|
| Posted: Sat Mar 01, 2008 3:40 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Yes, it's sql injection in INSERT query, which handles log saving. Seems that you have to use blind injection methods (subselects in INSERT query, if mysql is >=4.1.x), no easy way here ... |
|
|
|
|
| Posted: Sat Mar 01, 2008 4:03 am |
|
|
| theface |
| Active user |
|
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
|
|
|
|
| i belive its MySQL version is older than that. but how do i do the testing? can you show me some good examples or can you show me some good documnets to read. |
|
|
|
|
| Posted: Sat Mar 01, 2008 3:30 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| If it's older mysql version without subselect support, then i can't see any way to exploit this specific sql injection issue ... |
|
|
|
|
| Posted: Sat Mar 01, 2008 5:14 pm |
|
|
| theface |
| Active user |
|
|
| Joined: Dec 24, 2007 |
| Posts: 33 |
|
|
|
|
|
|
|
| how about if MYSQL is not old how do i go forward? |
|
|
|
|
| Posted: Sat Mar 01, 2008 9:37 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 98
Members: 0
Total: 98
