Hi
The number of columns would have to match but also the data types would
have to match. I know far more about Oracle databases than the MS
versions but i would expect them to act similarly. I dont have an MS
database to try this on. here are two queries to show what happens on
Oracle.
SQL> sho user
USER is "SYS"
SQL> select username, password
2 from dba_users
3 union
4 select username
5 from all_users;
select username, password
*
ERROR at line 1:
ORA-01789: query block has incorrect number of result columns
SQL> select username,password
2 from dba_users
3 union
4 select username,created
5 from all_users;
select username,password
*
ERROR at line 1:
ORA-01790: expression must have same datatype as corresponding
expression
SQL> spool off
This shows that the not only the number of columns needs to be the same
but also the data types have to be the same.
I have come across some good articles by rain forest puppy on the
following URL's on sql injection
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
hope this helps
cheers
Pete Finnigan
www.pentest-limited.com
In article <003701c13745$911f1910$d401a8c0@spidata>, Kevin Spett
<kspettat_private> writes
>I am working on a script where I am able to inject arbitrary SQL code into
>the request, but am unable to get the records I want.
>
>A request in this format:
>
>http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field
>FROM table WHERE '1'='
>
>Generates the following error:
>Microsoft OLE DB Provider for ODBC Drivers error '80004005'
>[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two
>selected tables or queries of a union query do not match.
>/script.asp, line 47
> I have been told that this is because the number of columns in the
>result table the first query is not equal to the n
>umber of columns in the
>result table of the second query, and all I need to do is pad the request
>with extra columns like the following until the number of columns is
>correct.
>http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field,
>field1, field2, field3 FROM table WHERE '1'='
> I have done this with up to around thirty extra fieldnames, and with no
>luck. I would like to know if there are other ways of doing this. I've
>tried using a semicolon to stack requests, but I get an error message
>stating that there is data after end of query (which means it's probably an
>Access server). Are there other ways of doing this besides UNION? I know
>the names of other tables and fields in the same db as well as their types.
>Also, good sites or papers that discuss SQL code injection would be
>appreciated.
>
>Kevin.
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>
--
Pete Finnigan
IT Security Consultant
PenTest Limited
Office 01565 830 990
Fax 01565 830 889
Mobile 07974 087 885
pete.finnigan@pentest-limited.com
www.pentest-limited.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:11:45 PDT