SQL Injection

["Kevin Spett" <kspett () mediaone net>]

I am working on a script where I am able to inject arbitrary SQL code into
the request, but am unable to get the records I want.

A request in this format:

http://www.site.com/script.asp?param1=value1&param2=' UNION SELECT field
FROM table WHERE '1'='

Generates the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two
selected tables or queries of a union query do not match.
/script.asp, line 47
    I have been told that this is because the number of columns in the
result table the first query is not equal to the number of columns in the
result table of the second query, and all I need to do is pad the request
with extra columns like the following until the number of columns is
correct.
http://www.site.com/script.asp?param1=value1&param2=' UNION SELECT field,
field1, field2, field3 FROM table WHERE '1'='
    I have done this with up to around thirty extra fieldnames, and with no
luck.  I would like to know if there are other ways of doing this.  I've
tried using a semicolon to stack requests, but I get an error message
stating that there is data after end of query (which means it's probably an
Access server).  Are there other ways of doing this besides UNION?  I know
the names of other tables and fields in the same db as well as their types.
Also, good sites or papers that discuss SQL code injection would be
appreciated.

Kevin.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/