Re: SQL Injection and text fields

From: Ben Timby (asp@webexc.com)
Date: Fri Aug 20 2004 - 15:40:53 EDT

• Next message: Altheide, Cory B. (IARC): "RE: Exploit Archive"
• Previous message: Marek Wójcik: "Re: Odd server side scripts source disclosure vulnerability"
• In reply to: Mariano Nuñez Di Croce: "Re: SQL Injection and text fields"
• Next in thread: Ben Timby: "Re: SQL Injection and text fields"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Oh, and to directly answer your question, you CAN group text fields:

"...group by cast(sometextfield as varchar(8000))"

8000 = max varchar size.

Enjoy!

Mariano Nuñez Di Croce wrote:

> Ben Timby wrote:
>
>> What do you want to find out? can you post your full input to the field?
>>
>> I am having trouble understanding what you are doing and trying to
>> accomplish.
>>
>> Mariano Nuñez Di Croce wrote:
>>
>>> I'm currently pen-testing a web application based on ASP and SQL Server.
>>>
>>> I have already figured out the table and field name by the use of the
>>> "having 1=1--" and appending "group by table.name" clauses.
>>>
>>> The problem is that I have text fields and those can't be use in the
>>> GROUP BY clause, so I get an error and cannot continue with the
>>> Injection.
>>>
>>> Any ideas?
>>>
>>
>>
> I 'm testing a page similar to this one:
>
> www.url.com/page.asp?id=2%20group%20by%20table1.fecha,table1.row_id,table1.nombre_fisico,table1.titular,table1.autor,table1.fuente,table1.seccion,table1.ciudad,table1.texto%20having%201=1--
>
>
> When I send this url whitout "table1.texto", I get an error saying that
> table1.texto must be appended to the group by clause... (just like the
> same procedure to discover the previous fieldnames).
>
> But this time, when I add this field to the GROUP BY clause i says that
> ntext, text and image fields cannot be appended to this type of clause.
>
> So...how can I walk through this to keep discovering the remaining fields??
> I've heard something about CONVERT function but not sure how to
> implement it..
>
> Thanks in advance,
>
>
> But when
>
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------

• Next message: Altheide, Cory B. (IARC): "RE: Exploit Archive"
• Previous message: Marek Wójcik: "Re: Odd server side scripts source disclosure vulnerability"
• In reply to: Mariano Nuñez Di Croce: "Re: SQL Injection and text fields"
• Next in thread: Ben Timby: "Re: SQL Injection and text fields"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:59 EDT