WebApp Sec mailing list archives
RE: Re: about oracle sql injection
From: LAROUCHE Francois <Francois.LAROUCHE () accor com>
Date: Tue, 6 Dec 2005 11:05:12 +0100
Hi,
first of all thanks,second there is anyway to collect information from the tables with out using union?????
Yeah with blind SQL injection with the return error or by comparing the result of the page when it's true or it's false. For example, let's say we have a web page containing a search on some employee table: 1. SMITH will return some result such as his job CLERK 2. You try SMITH' 1=1-- and see if you still see SMITH with CLERK 3. You try SMITH' 1=2-- and see if you see nothing, if so you just found your true/false condition 4. With that information you can try to go get character by character each value in the ORACLE system tables and compare your condition with the true and false result you expect. It's pretty long and tedious... Good luck with that. However, I just finished a software that does that automatically, well among other things. I just need to make the web site with a tutorial to explain it and it's out. If you can wait until then, you won't have to bother with the syntax ;) Good luck with that! Francois Larouche This e-mail, any attachments and the information contained therein ("this message") are confidential and intended solely for the use of the addressee(s). If you have received this message in error please send it back to the sender and delete it. Unauthorized publication, use, dissemination or disclosure of this message, either in whole or in part is strictly prohibited. ********************************************************************** Ce message electronique et tous les fichiers joints ainsi que les informations contenues dans ce message ( ci apres "le message" ), sont confidentiels et destines exclusivement a l'usage de la personne a laquelle ils sont adresses. Si vous avez recu ce message par erreur, merci de le renvoyer a son emetteur et de le detruire. Toutes diffusion, publication, totale ou partielle ou divulgation sous quelque forme que se soit non expressement autorisees de ce message, sont interdites. **********************************************************************
Current thread:
- about oracle sql injection limor188 (Nov 29)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 01)
- Re: about oracle sql injection Richard Moore (Dec 01)
- <Possible follow-ups>
- RE: about oracle sql injection LAROUCHE Francois (Dec 01)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 02)
- Re: Re: about oracle sql injection limor188 (Dec 05)
- RE: Re: about oracle sql injection LAROUCHE Francois (Dec 06)
- RE: RE: Re: about oracle sql injection LAROUCHE Francois (Dec 07)
- Re: RE: Re: about oracle sql injection limor188 (Dec 07)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)