Penetration Testing mailing list archives
Re: Oracle SQL Injection vulnerability
From: Attari Attari <c70n3 () yahoo co in>
Date: Tue, 20 Nov 2007 04:19:31 +0000 (GMT)
Thanks but this too doesn't work. Gives the same error :-( --- Joxean Koret <joxeankoret () yahoo es> wrote:
Hi, Yes, it appears to be vulnerable. Try, also, the following string: '='' -- I found many times SQL commands construsted as follows: SELECT * FROM users WHERE '<user_entered_value>' = user_name Regards, Joxean Koret On lun, 2007-11-19 at 09:32 +0000, Attari Attari wrote:Hi Group, I'm doing a penetration test for a client on theirwebportal. When I give ' on the username field I was received with an error from the server: Unspecified error ORA-01756: quoted string not properly terminated Does that mean the site is vulnerable to SQL Injection? I tried ' OR 1=1-- and ' OR '1'='1'--but Iget same error message. Any help would be much appreciated. Clone Meet people who discuss and share yourpassions. Go to http://in.promos.yahoo.com/groups
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solutionFREE today!http://www.cenzic.com/downloads
------------------------------------------------------------------------
5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle SQL Injection vulnerability Attari Attari (Nov 19)
- Re: Oracle SQL Injection vulnerability Steven Adair (Nov 19)
- Re: Oracle SQL Injection vulnerability Joxean Koret (Nov 19)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- RE: Oracle SQL Injection vulnerability Erin Carroll (Nov 19)
- RE: Oracle SQL Injection vulnerability Paul Melson (Nov 19)
- RE: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- <Possible follow-ups>
- RE: Oracle SQL Injection vulnerability David Cullen (Nov 24)
- Re: RE: Oracle SQL Injection vulnerability eladexposed (Nov 25)