sql injection

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'user_namexxx='' or a=a–''.

/webrecruit/includes/dataconn.asp, line 17 this is my error but I dont see no group by clause. My question Is this exploitable using sum?

google 'advanced sql injection' there is an article that is "very useful" in completing this challenge :happy:

[edit] oop nevermind i thought you were workin on like basic 21. the article still might be useful tho. [/edit]

yes, that's exploitable. Just play around with syntax until you get something that doesn't yell at you.

:right: i dont think that's about a challenge. what you might want to do first,is get some existing table names… you can query the db,make it spit an error,including the first table name, then the second,etc…till you think you have enough…

most of the times something like this:

select top 1 table_name from information_schema.tables-

will work.

darksun wrote: :right: i dont think that's about a challenge. what you might want to do first,is get some existing table names… you can query the db,make it spit an error,including the first table name, then the second,etc…till you think you have enough…

most of the times something like this:

select top 1 table_name from information_schema.tables-

will work.

I never said it was, in fact, the fact that it's an MS-SQL database makes it obvious it isn't. I think he needs help with finding out how to get other commands to inject properly, not help with what commands to inject.