Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection: Issue with UNION SELECT ALL
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Thu, 10 Jan 2008 14:16:38 -0800

I wouldn't agree with your statement Zed.

What he found was where the first conversion clash occurred. It seems that your third expression is text field, no big deal. For some reason SQL Server gives a higher priority on text is incompatible with int error or any casting problem than the equal number of expressions in a UNION clause. Believe me I learned that at my expense...

The actual number is 16 if I counted well with his HAVING test.

Your problem now Joseph is just to make sure that you can have the right format. If you use NULL it will work each time, however you won't get anything back...

The error you have is that you used SELECT ALL, in fact you need to use UNION ALL SELECT .... the ALL goes between UNION and SELECT

Good luck

Francois

Zed Qyves wrote:
Hello,

you seem to have successfully enumerated the number of fields of the
first query at
----------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
       Returns:
       Operand type clash: text is incompatible with int

       Reference Found:
       http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
--------------------------------------------------------------------------------

you can use the convert and sql_variant data type of MS SQL SERVER to
get to the right data types as well.

so you query would look like...

-------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL convert(sql_variant,1),convert(sql_variant,2),convert(sql_variant,3)--

Reference:
       http://www.sqlsecurity.com/LinkClick.aspx?link=SQL+Server+Security.ppt&tabid=60&mid=398

-------------------------------------------------------------------------------

Have fun,
ZQ



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]