[ic] SQL Injection?

Peter peter at pajamian.dhs.org
Wed Sep 24 21:22:25 UTC 2014


On 09/25/2014 03:18 AM, Bob Puff wrote:
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
>> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123

That looks like you have a syntax error in some perl, an improperly
terminated quote or something because you have perl code in your
mv_search_field and that's wrong.

> mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
>>
> 20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
>>
> 123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
>> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123

Again, the same thing, mv_failpage looks like some quoted text is
improperly terminated and there's stuff in it that should not be.


Peter



More information about the interchange-users mailing list