Penetration Testing mailing list archives

RE: SQL Injection & ncompatible with int issue

From: "Amichai Shulman" <shulman () imperva com>
Date: Sun, 13 Jun 2004 13:15:00 +0200

Try "Blind Folder SQL Injection" it should do the trick. URL is
http://www.imperva.com/application_defense_center/white_papers/blind_sql
_server_injection.html

-----Original Message-----
From: Peter Bair [mailto:peterbair100 () hotmail com] 
Sent: Thursday, June 10, 2004 1:51 AM
To: pen-test () securityfocus com
Subject: SQL Injection & ncompatible with int issue

I am currently testing an application that reveals it tables. I know the
exact columns to perform a union but when I try the following:

xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+--

RESULT:

Operand type clash: text is incompatible with int

So I will try the solution:

xxx.xxx.xxx/item='+union select
@@version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+--

RESULT:

Invalid column name 'text'.

I know that "text" is in the correct position and I tried 'text'.

Is this app safe or can I go further?

Thanks for any help.

Current thread:

SQL Injection & ncompatible with int issue Peter Bair (Jun 10)
- Re: SQL Injection & ncompatible with int issue Martin Eiszner (Jun 14)
- <Possible follow-ups>
- RE: SQL Injection & ncompatible with int issue Amichai Shulman (Jun 14)