Penetration Testing mailing list archives
Re: sql injection - missed it at bh/defcon + follow on query.
From: Pete Finnigan <pete () peterfinnigan demon co uk>
Date: Fri, 10 Aug 2001 15:51:23 +0100
Hi Oracle is a bit more tied down when it comes to SQL injecting it. The server will complain when the are un-matched quotes and if you try and pass a string thro a variable in PL/SQL where its a numeric field the compiler / runtime errors. I have been looking at SQL injection on Oracle recently. Have another session running SQL trace through the un-documented debugger oradebug and set the trace to level 12, this creates a trace file in the directory pointed to by the initialisation parameter "user_dump_dest". after you have tried your injection, go and look at this file and find the cursor and the SQL including your added bit. It should show the sql string, and you may be able to deduce the error from it, or what to inject to get round it. cheers Pete Finnigan www.pentest-limited.com In message <91FDB163EDE0D111BD200060084FA84267BC45@HERBERT>, Paul Midian <paul.midian () insight co uk> writes
I got thro' a login by putting s') OR ('s' = 's as both username and password. can't remember exactly but they were doing a select from table where username=<input> and password=<input>. Worked for me! As a follow on - I'm doing another job and am having difficulty injecting sql - I keep getting errors like 'SQL command not properly ended' or 'unterminated string' and stuff. Anyone got any ideas? It's Oracle on the backend from IIS BTW. I've tried various combo's of quotes, strings, cr/lf's etc but there nothing going on. Thanks, Paul -----Original Message----- From: nemo latin [mailto:nemo_old () yahoo com] Sent: 07 August 2001 20:04 To: pen-test () securityfocus com Subject: sql injection - missed it at bh/defcon All, I missed the SQL injection talks at bh/defcon - must have been my fault - I was told that they were good presentations. However I did see in the CD a glimpse of some injection techniques that I tried to follow as below. I have a internal WEB app that has the following characteristics: iis 4.0 (with all patches) - I even tried the old %2e asp display the source code and and all variants of the showcode.asp ! darn those security conscious admins ! input screen is javascript with a form - I can view the input page to see the script ! form requires 2 inputs login & password placing a ' in the login box produces the following messages Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quote before the character string '''. /Login.asp, line 73 They must not be screening out the ' and thanks to the error messages I know that the result is going to be passed to an SQl server. What next ?? I tried '-- in the login box and & got a message saying that the login name was not found I tried login name = valid name with a password of ' union select * from users where admin=1- and the message sez the password is wrong for the login. I also tried ' union select * from users where admin=1- in the login field and received a message saying that the login was longer than 7 characters Perhaps I am missing some intermediate step(s) ?? Any suggestions ?? __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ------------Insight Consulting Limited-------------------------------- Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and communications security, business continuity and risk management from consultancy, implementation, testing and training to recruitment, research and outsourcing. ---------------------Disclaimer---------------------------------------- Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is received by anyone other than the addressee, please notify the sender and then delete the message and any attachments from your computer. ----------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- Pete Finnigan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: sql injection - missed it at bh/defcon + follow on query. Paul Midian (Aug 09)
- Re: sql injection - missed it at bh/defcon + follow on query. Pete Finnigan (Aug 12)