Sunday, August 20, 2006

Error document information and what it indicates.

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near '='.

Data Source = "ECommerceTheArchSupport2" SQL = "SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId ="

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:\InetPub\clients\login\http\ailment.cfm

The specific sequence of files included or processed is:
K:\INETPUB\CLIENTS\LOGIN\HTTP\AILMENT.CFM


This error message indicates that the target web application if running Microsoft SQL and discloses directory structures.

2 comments:

  1. Siddharth GawshindeSeptember 06, 2006 1:18 PM

    Can you suggest if directory indexing is desbled , how can i use that disclosed path "k:\intepub\...

    ReplyDelete
  2. Hi Siddharth,

    Having known the internal software details, you may attempt default usernames/passwords or attempt SQL Injection queries that provide an SQL true statement (such as OR 1=1#).

    Else the physical path may not be of much importance to you.

    ReplyDelete