From: Francois Larouche (francois.larouche-ml@sqlpowerinjector.com)
Date: Tue Jan 15 2008 - 13:44:52 EST
Hi Zed,
see my answer inside the text
> On Jan 11, 2008 12:16 AM, Francois Larouche
> <francois.larouche-ml@sqlpowerinjector.com> wrote:
>
>> I wouldn't agree with your statement Zed.
>>
>> What he found was where the first conversion clash occurred. It seems
>> that your third expression is text field, no big deal. For some reason
>> SQL Server gives a higher priority on text is incompatible with int
>> error or any casting problem than the equal number of expressions in a
>> UNION clause. Believe me I learned that at my expense...
>>
>
> Chances are I misread you above statement, but what do you mean by "
> or any casting problem "?
> The nvarchar casting above - below works as expected
>
I might have not said it right but what I meant was that casting errors
will have precedence on the error which state that the UNION doesn't
have the right number of expressions. Hence, someone might think that he
found the right number of expression but in fact he is just having his
first type clash. And of course a casting with nvarchar will work but I
was referring to your statement regarding the fact that he found or
seemed to have found the right number of expressions (3) when in fact he
got a casting problem. (see below)
>> you seem to have successfully enumerated the number of fields of the
>> first query at
>> ----------------------------------------------------------------------------------
>> http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
>> ALL 1,2,3--
>> Returns:
>> Operand type clash: text is incompatible with int
>> The actual number is 16 if I counted well with his HAVING test.
>>
>> Your problem now Joseph is just to make sure that you can have the right
>> format. If you use NULL it will work each time, however you won't get
>> anything back...
>>
> Partly true - oh well unless you found something else in your expense
> :). You just have to pick one column that is displayed back and put
> your data selection there if you want multiple data rows to be
> returned back. Alternatively pick an int column and union select
> strings on that. Detailed error messages - which you seem to have -
> will get you the data back one at a time. Recurse on that with NOT IN
> ('data'...)
>
This time it's my fault, I didn't explain quite well what I meant by if
you use only NULL you'll get nothing back. What I meant was if you just
use SELECT * FROM SomeTable UNION SELECT NULL, NULL, NULL, NULL-- you'll
get just the normal result like if you didn't use the UNION at all. The
goal of using NULL is to be able to find out the exact number of
expressions without having to bother with stupid casting or collation.
Then when you have the right number of expressions you can use your
trick or any other way you want to get information from the SQL Server.
Wish you well,
Cheers
Francois
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT