Penetration Testing mailing list archives

Re: SQL Injection and text fields

From: Mariano Nuñez Di Croce <mnunez () cybsec com>
Date: Fri, 20 Aug 2004 14:33:08 -0300

Ben Timby wrote:

What do you want to find out? can you post your full input to the field?
I am having trouble understanding what you are doing and trying toaccomplish.
Mariano Nuñez Di Croce wrote:
I'm currently pen-testing a web application based on ASP and SQL Server.
I have already figured out the table and field name by the use of the"having 1=1--" and appending "group by table.name" clauses.
The problem is that I have text fields and those can't be use in theGROUP BY clause, so I get an error and cannot continue with theInjection.
Any ideas?

I 'm testing a page similar to this one:

www.url.com/page.asp?id=2%20group%20by%20table1.fecha,table1.row_id,table1.nombre_fisico,table1.titular,table1.autor,table1.fuente,table1.seccion,table1.ciudad,table1.texto%20having%201=1--

When I send this url whitout "table1.texto", I get an error saying thattable1.texto must be appended to the group by clause... (just like thesame procedure to discover the previous fieldnames).

But this time, when I add this field to the GROUP BY clause i says thatntext, text and image fields cannot be appended to this type of clause.


So...how can I walk through this to keep discovering the remaining fields??

I've heard something about CONVERT function but not sure how toimplement it..


Thanks in advance,


But when


--
----------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez () cybsec com
Tel/Fax: (54-11) 4382-1600
Web: http://www.cybsec.com
------------------------------


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------

Current thread:

SQL Injection and text fields Mariano Nuñez Di Croce (Aug 20)
- Re: SQL Injection and text fields Ben Timby (Aug 21)
  - Re: SQL Injection and text fields Mariano Nuñez Di Croce (Aug 21)
    - Re: SQL Injection and text fields Ben Timby (Aug 20)
    - Re: SQL Injection and text fields Ben Timby (Aug 20)