Re: SQL Injection: Issue with UNION SELECT ALL

From: Francois Larouche (francois.larouche-ml@sqlpowerinjector.com)
Date: Thu Jan 10 2008 - 17:16:38 EST


I wouldn't agree with your statement Zed.

What he found was where the first conversion clash occurred. It seems
that your third expression is text field, no big deal. For some reason
SQL Server gives a higher priority on text is incompatible with int
error or any casting problem than the equal number of expressions in a
UNION clause. Believe me I learned that at my expense...

The actual number is 16 if I counted well with his HAVING test.

Your problem now Joseph is just to make sure that you can have the right
format. If you use NULL it will work each time, however you won't get
anything back...

The error you have is that you used SELECT ALL, in fact you need to use
UNION ALL SELECT .... the ALL goes between UNION and SELECT

Good luck

Francois

Zed Qyves wrote:
> Hello,
>
> you seem to have successfully enumerated the number of fields of the
> first query at
> ----------------------------------------------------------------------------------
> http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
> ALL 1,2,3--
> Returns:
> Operand type clash: text is incompatible with int
>
> Reference Found:
> http://archives.neohapsis.com/archives/sf/pentest/2003-02/0094.html
> --------------------------------------------------------------------------------
>
> you can use the convert and sql_variant data type of MS SQL SERVER to
> get to the right data types as well.
>
> so you query would look like...
>
> -------------------------------------------------------------------------------
> http://www.vulnerablesite.com/vulnpage.asp?vulnparam=12345 UNION SELECT
> ALL convert(sql_variant,1),convert(sql_variant,2),convert(sql_variant,3)--
>
> Reference:
> http://www.sqlsecurity.com/LinkClick.aspx?link=SQL+Server+Security.ppt&tabid=60&mid=398
>
> -------------------------------------------------------------------------------
>
> Have fun,
> ZQ
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT