Penetration Testing mailing list archives
Re: SQL Injection: Issue with UNION SELECT ALL
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 15 Jan 2008 10:44:52 -0800
Hi Zed, see my answer inside the text
I might have not said it right but what I meant was that casting errors will have precedence on the error which state that the UNION doesn't have the right number of expressions. Hence, someone might think that he found the right number of expression but in fact he is just having his first type clash. And of course a casting with nvarchar will work but I was referring to your statement regarding the fact that he found or seemed to have found the right number of expressions (3) when in fact he got a casting problem. (see below)On Jan 11, 2008 12:16 AM, Francois Larouche <francois.larouche-ml () sqlpowerinjector com> wrote:I wouldn't agree with your statement Zed. What he found was where the first conversion clash occurred. It seems that your third expression is text field, no big deal. For some reason SQL Server gives a higher priority on text is incompatible with int error or any casting problem than the equal number of expressions in a UNION clause. Believe me I learned that at my expense...Chances are I misread you above statement, but what do you mean by " or any casting problem "? The nvarchar casting above - below works as expected
you seem to have successfully enumerated the number of fields of the first query at ---------------------------------------------------------------------------------- http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1,2,3-- Returns: Operand type clash: text is incompatible with int
This time it's my fault, I didn't explain quite well what I meant by if you use only NULL you'll get nothing back. What I meant was if you just use SELECT * FROM SomeTable UNION SELECT NULL, NULL, NULL, NULL-- you'll get just the normal result like if you didn't use the UNION at all. The goal of using NULL is to be able to find out the exact number of expressions without having to bother with stupid casting or collation. Then when you have the right number of expressions you can use your trick or any other way you want to get information from the SQL Server.The actual number is 16 if I counted well with his HAVING test. Your problem now Joseph is just to make sure that you can have the right format. If you use NULL it will work each time, however you won't get anything back...Partly true - oh well unless you found something else in your expense :). You just have to pick one column that is displayed back and put your data selection there if you want multiple data rows to be returned back. Alternatively pick an int column and union select strings on that. Detailed error messages - which you seem to have - will get you the data back one at a time. Recurse on that with NOT IN ('data'...)
Wish you well, Cheers Francois ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection: Issue with UNION SELECT ALL Joseph McCray (Jan 09)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 14)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 15)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 10)