Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SQL Injection: Issue with UNION SELECT ALL

from [Francois Larouche] Network Security [Permanent Link]
Subject: Re: SQL Injection: Issue with UNION SELECT ALL
Date: Tue, 15 Jan 2008 10:44:52 -0800 
Hi Zed,

see my answer inside the text
On Jan 11, 2008 12:16 AM, Francois Larouche
<francois.larouche-ml@sqlpowerinjector.com> wrote:
I wouldn't agree with your statement Zed.

What he found was where the first conversion clash occurred. It seems
that your third expression is text field, no big deal. For some reason
SQL Server gives a higher priority on text is incompatible with int
error or any casting problem than the equal number of expressions in a
UNION clause. Believe me I learned that at my expense...

Chances are I misread you above statement, but what do you mean by "
or any casting problem "?
The nvarchar casting above - below works as expected
I might have not said it right but what I meant was that casting errors will have precedence on the error which state that the UNION doesn't have the right number of expressions. Hence, someone might think that he found the right number of expression but in fact he is just having his first type clash. And of course a casting with nvarchar will work but I was referring to your statement regarding the fact that he found or seemed to have found the right number of expressions (3) when in fact he got a casting problem. (see below)

you seem to have successfully enumerated the number of fields of the
first query at
----------------------------------------------------------------------------------
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
ALL 1,2,3--
    Returns:
    Operand type clash: text is incompatible with int


The actual number is 16 if I counted well with his HAVING test.

Your problem now Joseph is just to make sure that you can have the right
format. If you use NULL it will work each time, however you won't get
anything back...
Partly true - oh well unless you found something else in your expense
:). You just have to pick one column that is displayed back and put
your data selection there if you want multiple data rows to be
returned back. Alternatively pick an int column and union select
strings on that. Detailed error messages - which you seem to have -
will get you the data back one at a time. Recurse on that with NOT IN
('data'...)
This time it's my fault, I didn't explain quite well what I meant by if you use only NULL you'll get nothing back. What I meant was if you just use SELECT * FROM SomeTable UNION SELECT NULL, NULL, NULL, NULL-- you'll get just the normal result like if you didn't use the UNION at all. The goal of using NULL is to be able to find out the exact number of expressions without having to bother with stupid casting or collation. Then when you have the right number of expressions you can use your trick or any other way you want to get information from the SQL Server.

Wish you well,

Cheers

Francois

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: brute force ColdFusion MX7 admin page, Anonymous
Next by Date:  Re: [Full-disclosure] what is this?, damncon
Previous by Thread:  Re: SQL Injection: Issue with UNION SELECT ALL, Zed Qyves
Next by Thread:  Auditing and requirements, xelerated
Indexes:  [Date] [Thread] [Top] [All Lists]