Penetration Testing mailing list archives
SQL Injection
From: zqyves () netscape net (Qyves)
Date: Tue, 11 Jun 2002 04:30:48 -0400
Hello all, Last time this was denied on pen-test due to cross-posting issues. I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle. To my knowledge I can do this in SQL by separating the two queries with ; however this is no happening in my case in two circumstances... Here goes the history: Case1: I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being something along those lines: (insert into tab_nam values ('a','b','c','d','e')); - a-e values from the web form- with me being able to inject through concatenation and subqueries between any of those fields a SELECT query. e.g. e='||select password from users where username='adm'||' query=(insert into tab_nam values ('a','b','c','d',''||select password from users where username='adm'||'')); I tried an INSERT to no avail, fair enough since I don't thing that INSERTs are allowed in nested queries... (or are they??) The last characters added by the cgi script are the )); e.g. e=aa')); (insert into powerusers values ('test', 'pwd ^^-- This gets around the NULL value insertion problem query=(insert into tab_nam values ('a','b','c','d','aa')); (insert into powerusers values ('test', 'pwd')); Those two queries should be executed sequentially but Oracle conplains with an Invalid character error Case 2: I have also found a second query I can insert to and parts of it are actually shown raw in the URL as an input to a servlet script e.g. /stupid.cgi?A=123%20AND%20%ID=101 This query appers to be something in the form of: SELECT foo from bar where [URL] ; I can inject an OR 1=1 in the above Url and get all the rows... However when I try the sequential queries again I fail miserably url=/stupid.cgi?A=123%20AND%20%ID=101%20OR%201=1 original url=/stupidservlet?A=123%20AND%20%ID=101 modified url=/stupidservlet?A=123%20AND%20%ID=101; insert into powerusers values ('test', 'pwd) I have full control over the url however I get just a "Server Error" back. Any clues on how to make any of these methods work anyone?? Thanks in advance. Qyves __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Qyves (Jun 11)
- Re: SQL Injection Chris Humphries (Jun 11)
- Re: SQL Injection Kevin Spett (Jun 11)
- <Possible follow-ups>
- RE: SQL Injection Breidenbach, Beth (Jun 12)
- Re: SQL Injection Sverre H. Huseby (Jun 12)
- RE: SQL Injection Breidenbach, Beth (Jun 12)