Penetration Testing mailing list archives
Re: Oracle Pentest
From: Dan Crowley <dcrowley () coresecurity com>
Date: Mon, 03 Jan 2011 14:35:12 -0500
This could be a result of your injection string being loaded into multiple queries, for which there are varying numbers of columns being selected. There's two options I can think of: 1) Concatenate the column with the results of a subquery, like so: ' || (select rownum ROW, name || '-' || password from sys.user$ where type#=1 and ROW = 1) || ' 2) Use blind SQL injection techniques or, given verbose errors (which I'm assuming aren't being given to you, otherwise you'd not have to try to determine the number of columns) use failed conversions to produce errors like "Sorry, can't turn (value from database) into an integer for you" Hope this helps! PS http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ -- Daniel Crowley, CICP, GCIH Technical Specialist Core Security Technologies "All the forces in the world are not so powerful as an idea whose time has come." - Victor Hugo On 1/1/2011 7:48 AM, maash.rajani () gmail com wrote:
I found an injection point during a pentest project. They are running an Oracle DBMS. Simply tryin ' OR '1'='1' returned one single result. In trying to find the number of queries returned by the column i used: ' OR '1'='1' ORDER BY n-- Anything above 7 in the Order by query generates an error. So i assumed there were 7 columns being selected. But then when i try ' OR '1'='1' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM DUAL -- i get an incorrect number of columns error. I tried anywhere upto 30 "NULLs", i keep getting the same error. Any suggestions? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Oracle Pentest maash . rajani (Jan 01)
- Re: Oracle Pentest Dan Crowley (Jan 03)
- Re: Oracle Pentest The Dead (Jan 04)