I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a search criteria field and I write 'all' for display all products, or write or a specific product.
I tried inject code in field to search but doesn't work.
I tested:
' or 'UPDATE' 'products' 'SET' 'price'='0' 'where' 'price'='1000'--' ' or 'UPDATE products SET price=0 where price=1000'--'; all' or DROP TABLE products # (...) but typically return a message:
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' ORDER BY PRICE' at line 1
SQL Statement: SELECT pcode,price,description FROM products WHERE description like '%' or 'UPDATE products SET price=0 where price=1000'%' ORDER BY PRICE
Aucun commentaire:
Enregistrer un commentaire