Re: SQL Injection data retrieving??

[Ben Timby <asp () webexc com>]

I see two options...

1. If the page you are attacking displays a listing, let's say a product 
listing, you can craft your query to emulate this result set, this is 
painstaking work, but will allow you grab many rows/columns at once. 
Basically you have to make the column names match what they were 
selecting before so the asp code can print the values into the HTML for 
you, and you can then scrape the data out of the HTML. For instance the 
price may actually print a CC number, and the product name may be the 
billing name column from another table altogether.

2. You can select one column at a time using the method you used to find 
the table/column names (which I am not sure is 100% right BTW, IIRC the 
sysobjects table does not hold databases, that is in sysdatabases? I 
would suggest reading the SQL BOL [books on line]}.

ex:

www.mysite.com/products.asp?id=convert(int,(select col1_name from 
__dellist where 1=1))
...
www.mysite.com/products.asp?id=convert(int,(select col2_name from 
__dellist where 1=1))
...
www.mysite.com/products.asp?id=convert(int,(select coln_name from 
__dellist where 1=1))

Of course, this is where a nice little script would come in handy. I 
wrote one that enums tables and cols, and will convert a regular query 
into a set of injections. It is very chatty, but of course you are pen 
testing right? If you are concerned about stealth, use anon. proxies 
(yes proxies, RR your traffic thru multiple of them).

Hope that Helps.

Roland Despins wrote:

> I've sent: 
>
> www.mysite.com/products.asp?id=convert(int,(select * from __dellist where 1=1))
>
>
> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80004005)
> Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the 
> subquery is used as an expression.
> /products.asp, line 32
>
>
> My question is: Which query should I sent i order to retrieve the data of the table??