Achim,
On Mon, Nov 17, 2008 at 8:15 AM, Achim Hoffmann <[EMAIL PROTECTED]> wrote:
> !! fuzzing, guessing... almost the same =)
>
> :-]
;)
> !! > !! Original: select * from users where (a = $id);
> !! > !! Injected 1: select * from users where (a = 1 and 1 = 1); --->
> syntax ok
> !! > !! Injected 2: select * from users where (a = 1 and 1 = 1--); --->
> !! > !! invalid syntax
> !! >
> !! > yes and no 'cause it depends on the database's SQL engine
> !!
> !! are you sure that something like:
> !!
> !! is valid in *any* dbms?
>
> Hmm, either of us misunderstood something.
> I Meant that it depends on the dbms which character/string to use for
> comments,
> MSSQL, Oracle --
> MSSQL, MySQL /* */
> etc.
oh, ok. Now I get your idea.
So... one more point to "1 AND 1=1" instead of "1 AND 1=1;--" , mainly
because the first one works on every database, and the second one may
or may not work on the database.
> !! > !! So..., adding a comment isn't always the best. Could you please think
> !! > !! about an example where 1 AND 1=1 wouldn't work, and 1 AND 1=1-- would?
> !! >
> !! > ... where id = <value> and id > 42 ...
> !! >
> !! >
> !!
> !! Injecting false:
> !! ... where id = 1 and 1 = 2 and id > 42: Zero results would be returned
> !!
> !! Injecting true:
> !! ... where id = 1 or 1 = 1 and id > 42: All rows from the table would
> !! be returned.
> !!
> !! I don't understand why you say that "1 AND 1=1" wouldn't work, and "1
> !! AND 1=1--" would.
>
> if you inject a comment
> ... where id = 1 or 1=1 -- and id > 42
>
> the result is independent of anything that follows
> That was what my example was about ("and id>42" is just an example).
What I was trying to find is a SELECT statement that returns the same
values for:
- Original: ?id=1
- Fuzzed true: ?id=1 OR 1=1
If we find that case, then we can say that *maybe* the commented
approach is better.
Cheers,
> {-: Achim
>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
