Re: SQL Injection

[Pete Finnigan <pete () peterfinnigan demon co uk>]

Hi

The number of columns would have to match but also the data types would
have to match. I know far more about Oracle databases than the MS
versions but i would expect them to act similarly. I dont have an MS
database to try this on. here are two queries to show what happens on
Oracle.

SQL> sho user
USER is "SYS"
SQL> select username, password
  2  from dba_users
  3  union
  4  select username
  5  from all_users;
select username, password
*
ERROR at line 1:
ORA-01789: query block has incorrect number of result columns 


SQL> select username,password
  2  from dba_users
  3  union
  4  select username,created
  5  from all_users;
select username,password
                *
ERROR at line 1:
ORA-01790: expression must have same datatype as corresponding
expression 


SQL> spool off

This shows that the not only the number of columns needs to be the same
but also the data types have to be the same.

I have come across some good articles by rain forest puppy on the
following URL's on sql injection

http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6

hope this helps

cheers

Pete Finnigan
www.pentest-limited.com


In article <003701c13745$911f1910$d401a8c0@spidata>, Kevin Spett
<kspett () mediaone net> writes
> I am working on a script where I am able to inject arbitrary SQL code into
> the request, but am unable to get the records I want.
>
> A request in this format:
>
> http://www.site.com/script.asp?param1=value1&param2=&apos; UNION SELECT field
> FROM table WHERE '1'='
>
> Generates the following error:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'
> [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two
> selected tables or queries of a union query do not match.
> /script.asp, line 47
>    I have been told that this is because the number of columns in the
> result table the first query is not equal to the n


> umber of columns in the
> result table of the second query, and all I need to do is pad the request
> with extra columns like the following until the number of columns is
> correct.
> http://www.site.com/script.asp?param1=value1&param2=&apos; UNION SELECT field,
> field1, field2, field3 FROM table WHERE '1'='
>    I have done this with up to around thirty extra fieldnames, and with no
> luck.  I would like to know if there are other ways of doing this.  I've
> tried using a semicolon to stack requests, but I get an error message
> stating that there is data after end of query (which means it's probably an
> Access server).  Are there other ways of doing this besides UNION?  I know
> the names of other tables and fields in the same db as well as their types.
> Also, good sites or papers that discuss SQL code injection would be
> appreciated.
>
> Kevin.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan () pentest-limited com

www.pentest-limited.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/