Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

sql injection question


ghost's Avatar
0 0

Hello all, a friend of mine got ahold of me and asked me if his website was hackable. After browsing it for a bit and several different attempts, I found that I could gain admin access at the login screen by using

admin 'OR M_NAME='admin

Which logged me in as the admin of the forum. Now what I'd like to do is get ahold of the table name. I have the column names but I can't seem to figure out the table name(s).

I've tried the following:

  1. SELECT name FROM sysObjects WHERE xtype='U'

  2. ' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.')

But they both give me a "Syntax error (missing operator) in query expression".

Does anyone know what operator I'm missing, or what the syntax error might be? Or does anyone have any other suggestions for getting the table name(s)?

Thanks in advance!

-w0rd


ghost's Avatar
0 0

What you have shown is very little understanding of sql.

Its hard to help you with the information given. Infact even your login script doesnt make much sense at all. Is there even a password check or anything at all.

To try and answer you question first you need to close out the current command using '; then enter a correct statement.

Look into information.schema_table for being able to get the tables/columns.

Honestly I would try to help you more, but you are so off base atm its hard to pick up on where you are/what you know.


ghost's Avatar
0 0

stdio, thank you for your quick response and I apologize for not being fully educated on sql injections/sql in general.

The reason why I used that login script is because when I attempted with one of the tradition sql injections (' or 1=1), it gave me an error stating

"Syntax error (missing operator) in query expression 'M_NAME = ''1 or 1=1' AND M_PASSWORD = MD5 hash bullshit"

So I knew I should use "M_NAME".

Also, whenever I add ; or – it gives me this error:

[Microsoft][ODBC Microsoft Access Driver] Characters found after end of SQL statement.

So I figured I was unable to use them.

Is there any other information I need to provide that would inform you more?