Re: sql injection - missed it at bh/defcon + follow on query.

[Pete Finnigan <pete () peterfinnigan demon co uk>]

Hi

Oracle is a bit more tied down when it comes to SQL injecting it. The
server will complain when the are un-matched quotes and if you try and
pass a string thro a variable in PL/SQL where its a numeric field the
compiler / runtime errors.

I have been looking at SQL injection on Oracle recently. Have another
session running SQL trace through the un-documented debugger oradebug
and set the trace to level 12, this creates a trace file in the
directory pointed to by the initialisation parameter "user_dump_dest".
after you have tried your injection, go and look at this file and find
the cursor and the SQL including your added bit. It should show the sql
string, and you may be able to deduce the error from it, or what to
inject to get round it.

cheers

Pete Finnigan
www.pentest-limited.com


In message <91FDB163EDE0D111BD200060084FA84267BC45@HERBERT>, Paul Midian
<paul.midian () insight co uk> writes
> I got thro' a login by putting
>
> s') OR ('s' = 's
>
> as both username and password.  can't remember exactly but they were doing a
> select from table where username=<input> and password=<input>.  Worked for
> me!
>
> As a follow on - I'm doing another job and am having difficulty injecting
> sql - I keep getting errors like 'SQL command not properly ended' or
> 'unterminated string' and stuff.  Anyone got any ideas?  It's Oracle on the
> backend from IIS BTW.  I've tried various combo's of quotes, strings,
> cr/lf's etc but there nothing going on.
>
> Thanks,
>
> Paul
> -----Original Message-----
> From: nemo latin [mailto:nemo_old () yahoo com]
> Sent: 07 August 2001 20:04
> To: pen-test () securityfocus com
> Subject: sql injection - missed it at bh/defcon
>
>
> All,
>
> I missed the SQL injection talks at bh/defcon - must
> have been my fault - I was told that they were good
> presentations.  However I did see in the CD a glimpse
> of some injection techniques that I tried to follow as
> below.
>
> I have a internal WEB app that has the following
> characteristics:
>
> iis 4.0 (with all patches) - I even tried the old %2e
> asp display the source code and and all variants of
> the showcode.asp !  darn those security conscious
> admins !
>
> input screen is javascript with a form - I can view
> the input page to see the script !
>
> form requires 2 inputs
> login & password
>
> placing a  '  in the login box produces the following
> messages
>
> Microsoft OLE DB Provider for ODBC Drivers error
> '80040e14' 
>
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quote before the character string '''.
>
>
> /Login.asp, line 73 
>
> They must not be screening out the  '  and thanks to
> the error messages I know that the result is going to
> be passed to an SQl server.  What next ??
>
> I tried
>
> '--  
>
> in the login box and  & got a message saying that the
> login name was not found
>
> I tried
>
> login name =   valid name
> with a password of
>
> ' union select * from users where admin=1-
>
> and the message sez the password is wrong for the
> login.
>
> I also tried
>
> ' union select * from users where admin=1-
>
> in the login field and received a message saying that
> the login was longer than 7 characters
>
> Perhaps I am missing some intermediate step(s) ??
>
> Any suggestions ??
>
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
>
> ------------Insight Consulting Limited--------------------------------
> Insight Consulting Limited is a leading specialist provider of independent 
> services in all aspects of information and communications security, business 
> continuity and risk management from consultancy, implementation, testing and 
> training to recruitment, research and outsourcing.
> ---------------------Disclaimer----------------------------------------
> Internet communications are not secure and therefore Insight Consulting Limited 
> does not accept legal responsibility for the contents of this message.  Any 
> views or opinions presented are solely those of the author and do not 
> necessarily represent those of Insight Consulting Limited unless otherwise 
> specifically stated. If this message is received by anyone other than the 
> addressee, please notify the sender and then delete the message and any 
> attachments from your computer.
> -----------------------------------------------------------------------
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 
Pete Finnigan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/