SQL Injection & ncompatible with int issue

From: Peter Bair (peterbair100@hotmail.com)
Date: Wed Jun 09 2004 - 19:51:06 EDT

Next message: juan.losada@empresas.telefonica.es: "Re: Traceroutes to Cisco Routers"
Previous message: H D Moore: "Metasploit Framework v2.1"
Next in thread: Martin Eiszner: "Re: SQL Injection & ncompatible with int issue"
Reply: Martin Eiszner: "Re: SQL Injection & ncompatible with int issue"
Maybe reply: Amichai Shulman: "RE: SQL Injection & ncompatible with int issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) I am currently testing an application that reveals it tables. I know the exact columns to perform a union but when I try the following:

xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+--

RESULT:
Operand type clash: text is incompatible with int

So I will try the solution:

xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+--

RESULT:
Invalid column name 'text'.

I know that "text" is in the correct position and I tried 'text'.

Is this app safe or can I go further?

Thanks for any help.

Next message: juan.losada@empresas.telefonica.es: "Re: Traceroutes to Cisco Routers"
Previous message: H D Moore: "Metasploit Framework v2.1"
Next in thread: Martin Eiszner: "Re: SQL Injection & ncompatible with int issue"
Reply: Martin Eiszner: "Re: SQL Injection & ncompatible with int issue"
Maybe reply: Amichai Shulman: "RE: SQL Injection & ncompatible with int issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT