The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Oracle:

ORA-01790: expression must have same datatype

as corresponding expression

MS-SQL:

Msg 245, Level 16, State 1, Line 1

Syntax error converting the varchar value

‘foo’ to a column of data type int.

MySQL:

(MySQL will not give you an error.)

Translation:

You will see this when you are attempting a 

UNION SELECT

attack, and you have specified a different data type from that

found in the original 

SELECT

statement. Try using a 

NULL

, or

using 

1

or 

2000

.

Oracle:

ORA-01722: invalid number

ORA-01858: a non-numeric character was found

where a numeric was expected

MS-SQL:

Msg 245, Level 16, State 1, Line 1

Syntax error converting the varchar value

‘foo’ to a column of data type int.

MySQL:

(MySQL will not give you an error.)

Translation:

Your input doesn’t match the expected data type for the field. 

You may have SQL Injection, and you may not need a single

quote, so try simply entering a number followed by your SQL

to be injected.

In MS-SQL, you should be able to return any string value with

this error message.

Oracle:

ORA-00923: FROM keyword not found where

expected

MS-SQL:

N/A

MySQL:

N/A

Translation:

The following will work in MS-SQL:

SELECT 1

But in Oracle, if you want to return something, you must

select from a table. The 

DUAL

table will do fine:

SELECT 1 from DUAL

Oracle:

ORA-00936: missing expression

MS-SQL:

Msg 156, Level 15, State 1, Line 1

Incorrect syntax near the keyword ‘from’.

Download 5,76 Mb.

Do'stlaringiz bilan baham: