Penetration Testing mailing list archives
Re: SQL Injection
From: Pete Finnigan <pete () peterfinnigan demon co uk>
Date: Mon, 10 Sep 2001 10:42:51 +0100
Hi The number of columns would have to match but also the data types would have to match. I know far more about Oracle databases than the MS versions but i would expect them to act similarly. I dont have an MS database to try this on. here are two queries to show what happens on Oracle. SQL> sho user USER is "SYS" SQL> select username, password 2 from dba_users 3 union 4 select username 5 from all_users; select username, password * ERROR at line 1: ORA-01789: query block has incorrect number of result columns SQL> select username,password 2 from dba_users 3 union 4 select username,created 5 from all_users; select username,password * ERROR at line 1: ORA-01790: expression must have same datatype as corresponding expression SQL> spool off This shows that the not only the number of columns needs to be the same but also the data types have to be the same. I have come across some good articles by rain forest puppy on the following URL's on sql injection http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2 http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6 hope this helps cheers Pete Finnigan www.pentest-limited.com In article <003701c13745$911f1910$d401a8c0@spidata>, Kevin Spett <kspett () mediaone net> writes
I am working on a script where I am able to inject arbitrary SQL code into the request, but am unable to get the records I want. A request in this format: http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field FROM table WHERE '1'=' Generates the following error: Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match. /script.asp, line 47 I have been told that this is because the number of columns in the result table the first query is not equal to the n
umber of columns in the result table of the second query, and all I need to do is pad the request with extra columns like the following until the number of columns is correct. http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field, field1, field2, field3 FROM table WHERE '1'=' I have done this with up to around thirty extra fieldnames, and with no luck. I would like to know if there are other ways of doing this. I've tried using a semicolon to stack requests, but I get an error message stating that there is data after end of query (which means it's probably an Access server). Are there other ways of doing this besides UNION? I know the names of other tables and fields in the same db as well as their types. Also, good sites or papers that discuss SQL code injection would be appreciated. Kevin. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan () pentest-limited com www.pentest-limited.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Kevin Spett (Sep 07)
- Re: SQL Injection Sverre H. Huseby (Sep 10)
- Re: SQL Injection thorhs (Sep 18)
- Re: SQL Injection Nicolas Gregoire (Sep 10)
- Re: SQL Injection Pete Finnigan (Sep 10)
- Re: SQL Injection Sverre H. Huseby (Sep 10)