From: Mariano Nuņez Di Croce (mnunez@cybsec.com)
Date: Fri Aug 20 2004 - 13:33:08 EDT
Ben Timby wrote:
> What do you want to find out? can you post your full input to the field?
>
> I am having trouble understanding what you are doing and trying to
> accomplish.
>
> Mariano Nuņez Di Croce wrote:
>
>> I'm currently pen-testing a web application based on ASP and SQL Server.
>>
>> I have already figured out the table and field name by the use of the
>> "having 1=1--" and appending "group by table.name" clauses.
>>
>> The problem is that I have text fields and those can't be use in the
>> GROUP BY clause, so I get an error and cannot continue with the
>> Injection.
>>
>> Any ideas?
>>
>
>
I 'm testing a page similar to this one:
www.url.com/page.asp?id=2%20group%20by%20table1.fecha,table1.row_id,table1.nombre_fisico,table1.titular,table1.autor,table1.fuente,table1.seccion,table1.ciudad,table1.texto%20having%201=1--
When I send this url whitout "table1.texto", I get an error saying that
table1.texto must be appended to the group by clause... (just like the
same procedure to discover the previous fieldnames).
But this time, when I add this field to the GROUP BY clause i says that
ntext, text and image fields cannot be appended to this type of clause.
So...how can I walk through this to keep discovering the remaining fields??
I've heard something about CONVERT function but not sure how to
implement it..
Thanks in advance,
But when
-- ---------------------------- Mariano Nuņez Di Croce CYBSEC S.A. Security Systems Email: mnunez@cybsec.com Tel/Fax: (54-11) 4382-1600 Web: http://www.cybsec.com ------------------------------ ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:59 EDT