You may need to use the date data type as well... I'm not sure about Informix (is it DB2 or its own thing, anyone know?) but on Oracle and some other servers, a numeric datatype may not implicitly covert to date format. Try wrapping a number in a convert()-type call to make it into a date type. If you can't get that, see if there is a sysdate variable you can use... If the date thing doesn't work out (amazing how this sounds like relationship advice) the offending column may be of an even more treacherous data type, such as binary information (images stored in a database are essentially binary streams for instance) that cannot be easily be pushed via a literal or a system variable through the ODBC driver. If this is so, I suggest praying for a clever idea to strike you. Check the Informix docs to see what kinds of data types are used and how they can and cannot be converted. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Whyte, Jesse" <Jesse.Whyteat_private> To: <pen-testat_private> Sent: Wednesday, July 03, 2002 6:28 PM Subject: SQL Injection with Informix > I'm working on an application that appears to be vulnerable to SQL Injection > and uses an Informix database on the backend. By altering the value sent to > the application via Cold Fusion URL variables, I can get Informix-generated > error messages. Using the error messages, I progress through the typical > stages of a SQL Injection attack, getting Informix ODBC messages that help > steer the creation of a valid string for injection, then getting the column > numbers correct. However, I can't seem to get the data types correct, even > though I have table descriptions for the table that I attempting to select > from. > > The URL is basically > http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2 > 0usertype%20FROM%20sysusers > > Where sysusers is the Informix system users table that should enumerate the > system users. I'm just trying to grab it as a proof-of-concept. I've > played with all different values in place of username and usertype for > columns, including numerics (1), single characters ("a"), strings > ("aaaaaaaa"), and even the column names like they are above. I keep getting > these error messages: > > [Informix][Informix ODBC Driver][Informix]Corresponding column types must be > compatible for each UNION statement. > > I'm not very SQL proficient, and my SQL resources have been exhausted. > Anybody have any ideas at all? Even esoteric ones? Thanks... > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 12:59:58 PDT