Penetration Testing mailing list archives
Re: enumeration of SQL column names failed when a column is of type "bit"
From: "Thor" <thor () hammerofgod com>
Date: Wed, 12 May 2004 11:30:40 -0700
Try casting the column as integer first- SQL2000 will do this for you in a standard query- you ODBC driver may not- so, it would be "group by cast(sometable.column1 as integer)" t ----- Original Message ----- From: "Chan Fook Sheng" <chanfooksheng () pacific net sg> To: <pen-test () securityfocus com> Sent: Wednesday, May 12, 2004 3:31 AM Subject: enumeration of SQL column names failed when a column is of type "bit"
Hi I am following David Litchfield excellent paper on SQL "Web App disassembly with ODBC Error Messages" on how to enumerate column names. The method appends "having 1=1--" and "group by" in the url Everything went well, but then if I have a table the contain a column of "bit" type, the method outlined in the paper will failed. i.e.
http://somesite/somepage.asp?id=1%20group%20by%20sometable.coulmn1,%20sometable.coulmn2%20having%201=1--
Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot group by a bit
column.
Anyone aware of any other methods? fook sheng --------------------------------------------------------------------------
----
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
-----
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- The Ultimate Toolkit... Mark Melonson (May 06)
- Re: The Ultimate Toolkit... Max (May 07)
- Re: The Ultimate Toolkit... a arse (May 07)
- Re: The Ultimate Toolkit... Andrew Simmons (May 07)
- Re: The Ultimate Toolkit... easternerd (May 07)
- RE: The Ultimate Toolkit... Pete Herzog (May 07)
- Re: The Ultimate Toolkit... Clint Bodungen (May 07)
- Re: The Ultimate Toolkit... Konstantin Gavrilenko (May 10)
- Message not available
- Re: The Ultimate Toolkit... Konstantin Gavrilenko (May 11)
- enumeration of SQL column names failed when a column is of type "bit" Chan Fook Sheng (May 12)
- Re: enumeration of SQL column names failed when a column is of type "bit" Thor (May 12)
- Message not available
- <Possible follow-ups>
- RE: The Ultimate Toolkit... Holmes, Brian (May 07)
- RE: The Ultimate Toolkit... vruy () chez com (May 07)
- RE: The Ultimate Toolkit... Lepich, Jesse A Mr GLWACH (May 07)
- RE: The Ultimate Toolkit... Steven A. Fletcher (May 07)
- RE: The Ultimate Toolkit... listmail (May 09)