Penetration Testing mailing list archives
RE: SQL Injection
From: "Breidenbach, Beth" <Beth.Breidenbach () getronics com>
Date: Tue, 11 Jun 2002 15:23:45 -0700
Qyves, Oracle doesn't support sending multiple, semi-colon delimited statements such as you are describing. That particular hole is generally only seen with Postres and SQLServer (and a few MySQL modules). OWASP's list is a helpful resource when determining what injection-related risks a given db engine has: http://www.owasp.org/asac/input_validation/sql.shtml Beth -----Original Message----- From: Chris Humphries [mailto:chumphries () devis com] Sent: Tuesday, June 11, 2002 1:32 PM To: Qyves Cc: pen-test () securityfocus com Subject: Re: SQL Injection try url encoding the entire string. also note that ; is a "reserved" part of urls syntax, like ? and &. also if it is java, it maybe using odbc driver to connect to oracle, and that may not allow for that anywho. just some ideas... =On Tue, Jun 11, 2002 at 04:30:48AM -0400, =recieved 2.7K bytes from Qyves containing this:
Hello all, Last time this was denied on pen-test due to cross-posting issues. I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle. To my knowledge I can do this in SQL by separating the two queries with ; however this is no happening in my case in two circumstances... Here goes the history: Case1: I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being something along those lines: (insert into tab_nam values ('a','b','c','d','e')); - a-e values from the web form- with me being able to inject through concatenation and subqueries between any of those fields a SELECT query. e.g. e='||select password from users where username='adm'||' query=(insert into tab_nam values ('a','b','c','d',''||select password from users where username='adm'||'')); I tried an INSERT to no avail, fair enough since I don't thing that INSERTs are allowed in nested queries... (or are they??) The last characters added by the cgi script are the )); e.g. e=aa')); (insert into powerusers values ('test', 'pwd ^^-- This gets around the NULL value insertion problem query=(insert into tab_nam values ('a','b','c','d','aa')); (insert into powerusers values ('test', 'pwd')); Those two queries should be executed sequentially but Oracle conplains with an Invalid character error Case 2: I have also found a second query I can insert to and parts of it are actually shown raw in the URL as an input to a servlet script e.g. /stupid.cgi?A=123%20AND%20%ID=101 This query appers to be something in the form of: SELECT foo from bar where [URL] ; I can inject an OR 1=1 in the above Url and get all the rows... However when I try the sequential queries again I fail miserably url=/stupid.cgi?A=123%20AND%20%ID=101%20OR%201=1 original url=/stupidservlet?A=123%20AND%20%ID=101 modified url=/stupidservlet?A=123%20AND%20%ID=101; insert into powerusers values ('test', 'pwd) I have full control over the url however I get just a "Server Error" back. Any clues on how to make any of these methods work anyone?? Thanks in advance. Qyves __________________________________________________________________ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Qyves (Jun 11)
- Re: SQL Injection Chris Humphries (Jun 11)
- Re: SQL Injection Kevin Spett (Jun 11)
- <Possible follow-ups>
- RE: SQL Injection Breidenbach, Beth (Jun 12)
- Re: SQL Injection Sverre H. Huseby (Jun 12)
- RE: SQL Injection Breidenbach, Beth (Jun 12)