Union query ntext data type in SQL Injection

The union query method is often used in the process of SQL injection. In most cases, the union query method allows us to quickly know the target data organization method. However, when we encounter ntext, text, or image data types, the union query is not very useful. Take SQL server as an example. In this case, the following error is thrown: The ntext data type cannot be set to DISTINCT because it is incomparable.

Here, I use the SQL server database as the test environment for analysis. Because ntext, text, and image data fields may store a large amount of data, by default, the database will forcibly exclude the same data in the above fields to improve efficiency, this is equivalent to adding the distinct keyword to the SQL query statement. Because the data size of this type may be very large, the database cannot effectively compare this type of field, and distinct requires the database to compare the data, as a result, the execution of SQL statements with unionr is incorrect.

After understanding the error principle, we can add the corresponding conditions to the SQL statements that execute the SQL statements to make the SQL statements run correctly. As can be seen from the above, the reason why SQL statements cannot be executed is that the database checks whether the union data is the same, so we only need to remove this default condition. The solution is to add the "all" keyword behind the union keyword.

The following example demonstrates this type of union injection. First, create two tables:
Create table [dbo]. [ntextTest] (
[Id] [int] not null,
[Name] [nchar] (10) NULL,
[Target] [ntext] NULL
) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]
Create table [dbo]. [support] (
[Col1] [nchar] (10) NULL,
[Col2] [nchar] (10) NULL
) ON [PRIMARY]
Then insert data into these two tables:
Insert into ntextTest values (1, 'aaa', 'adfsfs ')
Insert into ntextTest values (2, 'test', 'aaa ')
Insert into support values ('A', 'bb ')
Then execute the following query:
Select * from ntextTest union select 1, 2, col1 from support
Failed. Run the following command:
Select * from ntextTest union all select 1, col1, col2 from support
This normal response! Then the stuck SQL injection can continue.

The premise of the preceding problem is that ntext, text, image, and other data types appear in the front of the union query. During SQL injection, this is the case where the ntext data type is included in the original query statement of the injection object. Another case is that we want to query the content of the ntext data field during the injection. In this case, there is another operation method. For example, to inject an address: http://www.test.com/show.asp? Id = 1. Assume that the subsequent SQL query statement is: select id, productName, productInfo from product where id = @ id. Both productName and productInfo are of the nvarchar type, if you want to query the content of an article in the article table on the background of this website (represented by content, which is ntext type), you can use the substring function. Substring can be used to extract a portion of ntext data and return it as the nvarchar type. This bypasses the ntext type. As we do the following structure: http://www.test.com/show.asp? Id = 1 and 1 = 2 union select 1, 2 ,..., Substring (content, 1,200),... n from article where id = XX attached substring detailed usage:

Substring function:
{
Return Value: return part of the character, binary, text, or image expression.
Syntax: SUBSTRING (e-xpression, start, length)
Parameters:
E-xpression: a string, binary string, text, image, column, or an expression that contains a column. Do not use expressions that contain aggregate functions.
Start: an integer that refers to the start position of the substring.
Length: an integer that refers to the length of the substring (number of characters to return or the number of bytes ).
Return type:
1) if e-xpression is a supported character data type, character data is returned.
2) if e-xpression is a supported binary data type, binary data is returned.
The type of the returned string is the same as that of the given expression (except for those displayed in the table ).

}

 

Returned type of the given expression
Text varchar
Image varbinary
Ntext nvarchar

Note:

Must be specified in the number of characters

Ntext

,

Char

Or

Varchar

Offset of the Data Type (

Start

And

Length

). Must be specified in bytes

Text

,

Image

,

Binary

Or

Varbinary

The offset of the data type.

Ps: I wrote this article later because I encountered the above problem during the injection process. Baidu has not found any useful information for a long time. I believe that many small dishes like me have such problems that cannot be solved, and I hope this article will be helpful to the small dishes. I am also a beginner in security technology. Many things are unknown, and errors are inevitable. If the old birds find out, please give me some advice!

From: Do not defeat the memories blog