Hi The number of columns would have to match but also the data types would have to match. I know far more about Oracle databases than the MS versions but i would expect them to act similarly. I dont have an MS database to try this on. here are two queries to show what happens on Oracle. SQL> sho user USER is "SYS" SQL> select username, password 2 from dba_users 3 union 4 select username 5 from all_users; select username, password * ERROR at line 1: ORA-01789: query block has incorrect number of result columns SQL> select username,password 2 from dba_users 3 union 4 select username,created 5 from all_users; select username,password * ERROR at line 1: ORA-01790: expression must have same datatype as corresponding expression SQL> spool off This shows that the not only the number of columns needs to be the same but also the data types have to be the same. I have come across some good articles by rain forest puppy on the following URL's on sql injection http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2 http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6 hope this helps cheers Pete Finnigan www.pentest-limited.com In article <003701c13745$911f1910$d401a8c0@spidata>, Kevin Spett <kspettat_private> writes >I am working on a script where I am able to inject arbitrary SQL code into >the request, but am unable to get the records I want. > >A request in this format: > >http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field >FROM table WHERE '1'=' > >Generates the following error: >Microsoft OLE DB Provider for ODBC Drivers error '80004005' >[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two >selected tables or queries of a union query do not match. >/script.asp, line 47 > I have been told that this is because the number of columns in the >result table the first query is not equal to the n >umber of columns in the >result table of the second query, and all I need to do is pad the request >with extra columns like the following until the number of columns is >correct. >http://www.site.com/script.asp?param1=value1¶m2=' UNION SELECT field, >field1, field2, field3 FROM table WHERE '1'=' > I have done this with up to around thirty extra fieldnames, and with no >luck. I would like to know if there are other ways of doing this. I've >tried using a semicolon to stack requests, but I get an error message >stating that there is data after end of query (which means it's probably an >Access server). Are there other ways of doing this besides UNION? I know >the names of other tables and fields in the same db as well as their types. >Also, good sites or papers that discuss SQL code injection would be >appreciated. > >Kevin. > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > -- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan@pentest-limited.com www.pentest-limited.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:11:45 PDT