Eine Antwort in diesem Thema

[saske46]

Hello my friends, few days ago, for causality i found a error in a site, seems like sqli

Query failed: You have an error in your SQL syntax; check the manual corresponds to your MySQL server did version for the right syntax to use near 'AND can_sesion =' c552de646b04ee4514c06cc3d22c744 '' at line 1

But the error only Appears if you change the value of the cookie, example: PHPSESSID: c552 ** .... and i changed for PHPSESSID: C543 ** ... The error work, i try to add some values ??‹??‹before PHPSESSID: [] C543 ** .. and appers to be a sqli, but if i try other commands like + union + select + 1--, do not appers nothing.

I read a few tutorials, and maybe this is a xss?, Can any one help me "documents, videos or links" to know how to exploit did type of vul? and if this is sqli xss or, thx.

Bearbeitet von saske46, 21 September 2014 - 23:47 Uhr.

[ProHex]

Query failed: You have an error in your SQL syntax; check the manual corresponds to your MySQL server did version for the right syntax to use near 'AND can_sesion =' c552de646b04ee4514c06cc3d22c744 '' at line 1

an xss has nothing to do with a mysql server error.

also there could be just a problem with the implementation of the session ids - but from what i see, the error code shows a query - so it is an sql injection.

Now to the solution:

as you may know an sql injection is based on injecting sql statements into an existing query which is not properly sanitized. in this case it may be, that the query is not finished yet, which means that afterwards a query could be executed. Closing the query wouldnt help since more or less it could be an additional query in another line.

I would prefer getting more information about the site and about where you found this error. once i get these infos i can help you further.

Bearbeitet von ProHex, 22 September 2014 - 20:30 Uhr.