Re: SQL Injection data retrieving??

[nummish <nummish () gmail com>]

The problem you're encountering is because you're trying to convert
multiple records with multiple fields to a single int datatype.

think of the data you're pulling out in a format such as:

x1,y1,z1
x2,y2,z2
x3,y3,z3
...

You'd have more success pulling one row at a time (Using the TOP 1
syntax you were using on the tables) and pulling one field at a time
(you'll need to know the field name, from syscolumns)

> From here you can proceed to convert, unless it's an integer.. at
which point it won't throw the same error, because the conversion will
succeed.

You might be better off if you can inject a stored proc to concatenate
the fields for you (and save some time)

This is all covered in Chris Anley's paper:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf

-nummish

On 10 Sep 2004 12:06:56 -0000, Roland Despins <roland2004 () romandie com> wrote:

> Now here comes the troubles... I would like to retrieve the columns name of the "__dellist" table and the data of the 
> "__dellist".
>
> I've sent:
>
> www.mysite.com/products.asp?id=convert(int,(select * from __dellist where 1=1))
>
> Error Type:
>
> Microsoft OLE DB Provider for SQL Server (0x80004005)
>
> Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the 
> subquery is used as an expression.
>
> /products.asp, line 32
>
> My question is: Which query should I sent i order to retrieve the data of the table??


-- 
Bigger 1:23
This address if for mailing list traffic only. 
Please direct non-list correspondence to 0x90.org