Penetration Testing mailing list archives
ORACLE pentest sql injection
From: "Zosen Security" <zosen.security () gmail com>
Date: Sat, 22 Dec 2007 17:07:32 +0100
Hi, I'm doing a pentest to a web application that uses an ORACLE database. I suspect that the application is using bind variables in the queries to avoid SQL injection but when I try to inject a SQL statement in a parameter, it rises a ORA-01480 exception. ORA-01480: trailing null missing from STR bind value Cause: A bind variable of type 5 (null-terminated string) does not contain the terminating null in its buffer. Action: Terminate the string with a null character does it mean that the application is using bind variables to protect itself against sql injection??? This example shows simple SQL injection. The query uses bind variables and doesn't rise any exception. It's like the user is typing the password wrong. SQL> variable pword varchar2(30); SQL> exec :uname := 'tom'; SQL> exec :pword := - > 'i_dont_know'' or ''x'' = ''x'; PL/SQL procedure successfully completed. SQL> select count(*) 2 from user_table 3 where username = :uname 4 and password = :pword 5 / COUNT(*) ---------- 0 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- ORACLE pentest sql injection Zosen Security (Dec 23)