 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 59
 Members: 0
 Total: 59
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
A simple sql password bypass question. |
|
 Posted: Thu Feb 21, 2008 5:45 am |
 |
|
| S_R_S |
| Beginner |
 |
|
| Joined: Feb 21, 2008 |
| Posts: 1 |
|
|
|
 |
|
 |
|
I'v read many sql injection tutorials and google this but I can't figure out this question.
If I type admin:' or 1=1-- and I get an error can I type admin:' or a=a-- and have a chance of it working?
or if 1 of them is block their all blocked?
Thanks for the help,
S_R_S |
|
|
|
|
| Posted: Thu Feb 21, 2008 8:27 am |
|
|
| gibbocool |
| Advanced user |
 |
|
| Joined: Jan 22, 2008 |
| Posts: 208 |
|
|
|
|
|
|
|
| im not so sure what you're asking, but you'll find if putting a ' doesnt work for you then that's because ' are escaped (i.e. have backslash before). |
|
|
|
|
| Posted: Thu Feb 21, 2008 11:52 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This example of yours:
It is flawed! If you do not surround string with quotes, then sql engine will think, that it's something else - like field names or aliases.
Right version is:
Next - what sql? MSSQL? PostgreSql? MySql? Oracle?
And please provide detailed error message(s). |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
