RE: SQL Injection & ncompatible with int issue

From: Amichai Shulman (shulman_at_imperva.com)
Date: 06/13/04

  • Next message: Andre Ludwig: "Re: Wireless pentesting requirements"
    Date: Sun, 13 Jun 2004 13:15:00 +0200
    To: <pen-test@securityfocus.com>, "Peter Bair" <peterbair100@hotmail.com>
    
    

    Try "Blind Folder SQL Injection" it should do the trick. URL is
    http://www.imperva.com/application_defense_center/white_papers/blind_sql
    _server_injection.html

    -----Original Message-----
    From: Peter Bair [mailto:peterbair100@hotmail.com]
    Sent: Thursday, June 10, 2004 1:51 AM
    To: pen-test@securityfocus.com
    Subject: SQL Injection & ncompatible with int issue

    I am currently testing an application that reveals it tables. I know the
    exact columns to perform a union but when I try the following:

    xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+--

    RESULT:

    Operand type clash: text is incompatible with int

    So I will try the solution:

    xxx.xxx.xxx/item='+union select
    @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+--

    RESULT:

    Invalid column name 'text'.

    I know that "text" is in the correct position and I tried 'text'.

    Is this app safe or can I go further?

    Thanks for any help.


  • Next message: Andre Ludwig: "Re: Wireless pentesting requirements"