I am working on a script where I am able to inject arbitrary SQL code into the request, but am unable to get the records I want. A request in this format: http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field FROM table WHERE '1'=' Generates the following error: Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match. /script.asp, line 47 I have been told that this is because the number of columns in the result table the first query is not equal to the number of columns in the result table of the second query, and all I need to do is pad the request with extra columns like the following until the number of columns is correct. http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field, field1, field2, field3 FROM table WHERE '1'=' I have done this with up to around thirty extra fieldnames, and with no luck. I would like to know if there are other ways of doing this. I've tried using a semicolon to stack requests, but I get an error message stating that there is data after end of query (which means it's probably an Access server). Are there other ways of doing this besides UNION? I know the names of other tables and fields in the same db as well as their types. Also, good sites or papers that discuss SQL code injection would be appreciated. Kevin. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 11:07:32 PDT