You may need to use the date data type as well... I'm not sure about
Informix (is it DB2 or its own thing, anyone know?) but on Oracle and some
other servers, a numeric datatype may not implicitly covert to date format.
Try wrapping a number in a convert()-type call to make it into a date type.
If you can't get that, see if there is a sysdate variable you can use... If
the date thing doesn't work out (amazing how this sounds like relationship
advice) the offending column may be of an even more treacherous data type,
such as binary information (images stored in a database are essentially
binary streams for instance) that cannot be easily be pushed via a literal
or a system variable through the ODBC driver. If this is so, I suggest
praying for a clever idea to strike you. Check the Informix docs to see
what kinds of data types are used and how they can and cannot be converted.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
----- Original Message -----
From: "Whyte, Jesse" <Jesse.Whyteat_private>
To: <pen-testat_private>
Sent: Wednesday, July 03, 2002 6:28 PM
Subject: SQL Injection with Informix
> I'm working on an application that appears to be vulnerable to SQL
Injection
> and uses an Informix database on the backend. By altering the value sent
to
> the application via Cold Fusion URL variables, I can get
Informix-generated
> error messages. Using the error messages, I progress through the typical
> stages of a SQL Injection attack, getting Informix ODBC messages that help
> steer the creation of a valid string for injection, then getting the
column
> numbers correct. However, I can't seem to get the data types correct,
even
> though I have table descriptions for the table that I attempting to select
> from.
>
> The URL is basically
>
http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2
> 0usertype%20FROM%20sysusers
>
> Where sysusers is the Informix system users table that should enumerate
the
> system users. I'm just trying to grab it as a proof-of-concept. I've
> played with all different values in place of username and usertype for
> columns, including numerics (1), single characters ("a"), strings
> ("aaaaaaaa"), and even the column names like they are above. I keep
getting
> these error messages:
>
> [Informix][Informix ODBC Driver][Informix]Corresponding column types must
be
> compatible for each UNION statement.
>
> I'm not very SQL proficient, and my SQL resources have been exhausted.
> Anybody have any ideas at all? Even esoteric ones? Thanks...
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 12:59:58 PDT