Re: SQL Injection question

["lipe!" <lipe () brturbo com>]

With IIS you can try to generate a Error Report (if the server has this
enabled)

You can, for example, request the query with a cast operator that can't do
the conversion.

Try this:

select convert(int, password_field+'a') from table where id = 1

When the DB engine try to convert the string (password_field+'a'), it will
report a error, because the conversion is impossible..


+---- - -  -  - - -    -

    _____
  /____ /|
 | :_ _|_|    Felipe Santos Andrade
 | /   | /    Desenvolvedor                     .
 |.____|/     Criativa Solutions
                                                .
                                                .
    /* nós poderiamos ser muito melhores        :
        se não quisessemos ser tão bons */      :
                                                :
                           -    - -  -  - - --- /



----- Original Message ----- 
From: "Serg Belokamen" <serg () dodo com ai>
To: <webappsec () securityfocus com>
Cc: <stewart () flamingspork dot com>
Sent: Wednesday, May 26, 2004 12:49 PM
Subject: SQL Injection question


| Hi All,
|
| I am interested to know (if possible) how to extend an SQL injection
attack to
| display requested information from the injected query rather then the one
coded into the software.
|
| For example performing a successful injection in the following manner:
|
| Normal:
| http://domain.com/script.php?showdata.php=3
|
| Attack:
| http://domain.com/script.php?showdata.php=3;select * from table where id=1
|
| would successfuly execute injected SQL on the datrabase server and return
an error to the caller since the software was made to process a particular
query... not injected one.
|
| How and is it at all possible to actually view the data corresponding to
injected SQL query, being:
|
| select * from table where id=1?
|
|    Best Regards,
|       Serg
|
|