Penetration Testing mailing list archives
Re: Oracle SQL Injection vulnerability
From: "Zed Qyves" <zqyves.spamtrap () gmail com>
Date: Thu, 22 Nov 2007 10:32:00 +0200
Hello, first things first... 1) The SELECT query doesn't seem to be the one you are injecting since there exist single quotes rather than not as I suspected in the previous email. I am assuming that txtUser.Text is the value you are posting. 2) You could be failing because the cmd.ExecuteScalar() is returning NULL that cant be converted to CInt. However I would expect to be getting an ASP.NET error rather than Oracle error in that situation. 3) How do you know that the previous query fires ok? cmd.ExecuteScalar() is the actual execution of the query. do you have any idea from the error messages as to what is cmd pointing to at this place? 4)For Oracle to be complaining you are most likely to be inserting something rather than selecting. maybe there is an active sessions table that your data is reposted maybe some other reason... have a look at the whole page exchange from a logon via an inline proxy. most likely what you put as a username is stored in a session object and is used subsequently, if you are lucky it is the cookie that it stores it in (for pen testers laughing yes in 2007 Anno Domini cookies are still used in web apps to make decisions) now moving to the exploitation part... try the following replacing USERSTABLENAME with the one you know exists... usernamefield: ||(select max(id) from USERSTABLENAME)|| passwordfield: ||(select password from USERSTABLENAME where id=(select max(id) from USERSTABLENAME))|| or usernamefield: '||(select max(id) from USERSTABLENAME)||' passwordfield: '||(select password from USERSTABLENAME where id=(select max(id) from USERSTABLENAME))||' let us know how it goes... In a more general note I would suggest using a valid number in username field and injecting the password field with: anything' or 'd'='d'-- anything' or 'd'='d ./ZQ On Nov 21, 2007 3:56 AM, Attari Attari <c70n3 () yahoo co in> wrote:
Hey Zed, You hit the bulls eye. Now I gave 123 OR 1=1-- as the injection in username field.. I don't get the same error on a previous line but a new error further down the code which says: "ORA-01722: invalid number" Looks like the query earlier is: SELECT COUNT(*) FROM TABLENAME WHERE ID = '" & txtUser.Text & "' and PASSWORD = '"... Now this query is fired fine. But the execution breaks in the next line that says (yes error's are not hidden): If CInt(cmd.ExecuteScalar()) > 0 Suggestions what's going wrong here? Thanks a ton guys. --- Zed Qyves <zqyves.spamtrap () gmail com> wrote:Hello, Wild guess but can the username be numeric only rather than alphanumeric as everyone expects? People often misconceive that the username field as alpha while it may very well not be ...That would explain why you are still getting the "ORA-01756: quoted string not properly terminated" even when you appear to terminating correctly. what if you input "123 or 1=1--" (strip ") in the username field? regards, ./ZQ -----------------------------------------------------------------------Κρέων ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον. Οιδίπους Τύρρανος [110]---------------------------------------------------------------------Creon In this our land, so said he, those who seek Shall find; unsought, we lose it utterly. Oedipus Rex [110]---------------------------------------------------------------------Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups
-- --------------------------------------------------------------------- Κρέων ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον. Οιδίπους Τύρρανος [110] --------------------------------------------------------------------- Creon In this our land, so said he, those who seek Shall find; unsought, we lose it utterly. Oedipus Rex [110] ---------------------------------------------------------------------
Current thread:
- Oracle SQL Injection vulnerability Attari Attari (Nov 19)
- Re: Oracle SQL Injection vulnerability Steven Adair (Nov 19)
- Re: Oracle SQL Injection vulnerability Joxean Koret (Nov 19)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- RE: Oracle SQL Injection vulnerability Erin Carroll (Nov 19)
- RE: Oracle SQL Injection vulnerability Paul Melson (Nov 19)
- RE: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- <Possible follow-ups>
- RE: Oracle SQL Injection vulnerability David Cullen (Nov 24)
- Re: RE: Oracle SQL Injection vulnerability eladexposed (Nov 25)