Chapter 9  ■ Injecting Code

SQL Error Messages

Oracle:

ORA-01756: quoted string not properly

terminated

ORA-00933: SQL command not properly ended

MS-SQL:

Msg 170, Level 15, State 1, Line 1

Line 1: Incorrect syntax near ‘foo

Msg 105, Level 15, State 1, Line 1

Unclosed quotation mark before the character

string ‘foo

MySQL:

You have an error in your SQL syntax.  Check

the manual that corresponds to your MySQL

server version for the right syntax to use

near ‘’foo’ at line X

Translation:

For Oracle and MS-SQL, SQL injection is present, and it is

almost certainly exploitable! If you entered a single quote and

it altered the syntax of the database query, this is the error

you’d expect.

For MySQL, SQL injection may well be present, but the same

error message can appear in other contexts.

Oracle:

PLS-00306: wrong number or types of arguments

in call to ‘XXX’

MS-SQL:

Procedure ‘XXX’ expects parameter ‘@YYY’,

which was not supplied

MySQL:

N/A

Translation:

You have commented out or removed a variable that would

normally be supplied to the database. In MS-SQL, you should

be able to use time delay enumeration to perform arbitrary

data retrieval.

Oracle:

ORA-01789: query block has incorrect number of

result columns

MS-SQL:

Msg 205, Level 16, State 1, Line 1

All queries in an SQL statement containing a

UNION operator must have an equal number of

expressions in their target lists.

MySQL:

The used SELECT statements have a different

number of columns

Translation:

You will see this when you are attempting a 

UNION SELECT

attack, and you have specified a different number of columns

to the number in the original 

SELECT

statement.

Download 5,76 Mb.

Do'stlaringiz bilan baham: