Re: SQL Injection - data ntext,image cannot group by....

From: Kevin Spett (kspett@spidynamics.com)
Date: 03/21/02 

From: "Kevin Spett" <kspett@spidynamics.com>
To: "Sony Arianto Kurniawan" <sony-ak@aritechdev.com>, <pen-test@securityfocus.com>
Date: Wed, 20 Mar 2002 18:58:28 -0800

Try the convert hack if it's SQL Server. Make your injection string
something like this:
    convert(int, (convert(varchar, (SELECT TOP 1 name FROM sysobjects WHERE
xtype='U'))))
You should get back an error message that contains the first name in
sysobjects.

Again, if it's SQL Server, you can inject procedures. Try injecting
sp_makewebtask, which has been discussed on this list twice in the last week
I think.

You also might want to include in your report that (in theory) they may get
a slight performance increase by using type ntext instead of text. The text
data type is really there to just include extra information that isn't
supposed to be used in applications often (or at least that's my
understanding of it.)

Kevin Spett
SPI Dynamics, Inc.

----- Original Message -----
From: "Sony Arianto Kurniawan" <sony-ak@aritechdev.com>
To: <pen-test@securityfocus.com>
Sent: Tuesday, March 19, 2002 8:39 AM
Subject: SQL Injection - data ntext,image cannot group by....

> Dear pen tester,
> I'm interested in SQL injection. I try to know the table structure using '
> having 1=1 -- and ' group by [table_name].[field_name] to enumerate the
> fields.
> But the table contains field with text or image type. I can't use group by
> and I can't continue the injection :( Is there any method to address this
> problem?
> Thanks.
>
> Sony AK
> http://www.aritechdev.com/
>
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: Send output to file in SQL
    ... there are couple of ways to do this in Microsoft SQL Server. ... - Run the query from command line, using isql.exe or osql.exe by passing ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • hacking a NT domain after the member server
    ... Currently doing a penetration test and managed to compromise a development ... SQL server that is a member of the domain. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • SQL Insertion
    ... [ODBC SQL Server Driver][SQL ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: SQL
    ... statement being executed in the ISS server ... which will run the 'dir' command in the SQL server ... > This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: SQL Injection
    ... Subject: SQL Injection ... > I am working on a script where I am able to inject arbitrary SQL code into ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)