Penetration Testing mailing list archives
Re: SQL Injection: Issue with UNION SELECT ALL
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Thu, 10 Jan 2008 14:16:38 -0800
I wouldn't agree with your statement Zed.What he found was where the first conversion clash occurred. It seems that your third expression is text field, no big deal. For some reason SQL Server gives a higher priority on text is incompatible with int error or any casting problem than the equal number of expressions in a UNION clause. Believe me I learned that at my expense...
The actual number is 16 if I counted well with his HAVING test.Your problem now Joseph is just to make sure that you can have the right format. If you use NULL it will work each time, however you won't get anything back...
The error you have is that you used SELECT ALL, in fact you need to use UNION ALL SELECT .... the ALL goes between UNION and SELECT
Good luck Francois Zed Qyves wrote:
Hello, you seem to have successfully enumerated the number of fields of the first query at ---------------------------------------------------------------------------------- http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1,2,3-- Returns: Operand type clash: text is incompatible with int Reference Found: http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html -------------------------------------------------------------------------------- you can use the convert and sql_variant data type of MS SQL SERVER to get to the right data types as well. so you query would look like... ------------------------------------------------------------------------------- http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL convert(sql_variant,1),convert(sql_variant,2),convert(sql_variant,3)-- Reference: http://www.sqlsecurity.com/LinkClick.aspx?link=SQL+Server+Security.ppt&tabid=60&mid=398 ------------------------------------------------------------------------------- Have fun, ZQ
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection: Issue with UNION SELECT ALL Joseph McCray (Jan 09)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 14)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 15)
- Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 10)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 10)