I'm trying to inject this one site, and I got this interesting error message by using the classic "'or 1=1--" trick. I'm a complete noob at this, so I haven't had much success with sql injection until I did the trick above and got this error message.

MYSQL ERR:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_or_1=1--', PASSWORD('password'), '5f4dcc3b5aa765d61d8327deb882cf99',
'204' at line 8

Problem creating the account.
Please retry or contact the administrator.

Does this mean anything? I'm trying to fish for a password or really anything that would indicate that I can access the tables. Any tips on how to get better at this would help a lot. =)

Kind of looks like it already spit the hash out at you. lawl. but where is the U-name?

I'm trying to inject this one site, and I got this interesting error message by using the classic "'or 1=1--" trick. I'm a complete noob at this, so I haven't had much success with sql injection until I did the trick above and got this error message.

MYSQL ERR:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_or_1=1--', PASSWORD('password'), '5f4dcc3b5aa765d61d8327deb882cf99',
'204' at line 8

Problem creating the account.
Please retry or contact the administrator.

Does this mean anything? I'm trying to fish for a password or really anything that would indicate that I can access the tables. Any tips on how to get better at this would help a lot. =)

Well the thing is, I used it on a registration page. I know that sounds stupid, but it didn't work on the login, so I figured I'd just see what would happen if I used it when registering. I used the injection as the username. The password was just 'password'. It spit out a hash, but what's the possibility that it could mean anything? And how would I go about decoding it?

Kind of looks like it already spit the hash out at you. lawl. but where is the U-name?


It only hashed 'password', I assume that's what he put in the password field :p. It didn't spit out any hash that would probably correspond to an account.

If you could give me the site some way, either via IRC, aim or whatever I can check it out. I'm very good at web hacking.


Btw, edit your shit so it doesn't stretch the damn page :mad:.

That'd be great, Clover! I made an AIM account. The username is burzumvenom.

And sorry about the page stretching. I might try fixing it. I thought that totse used to have better wordwrapping or whatever.

Alright, I added you. My AIM is SlpCtrl.

alright, i added you. My aim is slpctrl.

You son of a bitch!