WebApp Sec mailing list archives
RE: Oracle SQL Injection
From: Mark Keegan <mark.keegan () paradise net nz>
Date: Wed, 12 Jul 2006 14:15:12 +1200
Thanks for the reply Tim. Yes I have read these articles and also the PeteFinnigan.com site. They are both very good resources but although they allude to being able to perform UPDATES etc I couldn't see a good example. As for the SUBSELECT suggestion, I did think about that one myself however I didn't know you can embed UPDATES or DELETES within a SUBSELECT. Could you please provide some sample syntax on this. Thanks Mark MCSD & C|EH -----Original Message----- From: Tim [mailto:tim-security () sentinelchicken org] Sent: Wednesday, 12 July 2006 10:25 a.m. To: Mark Keegan Cc: webappsec () securityfocus com Subject: Re: Oracle SQL Injection Mark,
It appears that Oracle does not like this type of syntax where we are appending an UPDATE onto an existing SELECT statement. Could someone please point me in the right direction on how to execute these type of
commands.
I should also say that the application appears to be replacing a semicolon with a coma.
Have you tried using sub queries? Also, check out these (if you haven't already seen them): http://www.securityfocus.com/infocus/1644 http://www.securityfocus.com/infocus/1646 good luck, tim ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- Oracle SQL Injection Mark Keegan (Jul 11)
- Re: Oracle SQL Injection Tim (Jul 11)
- Re: Oracle SQL Injection Cesar (Jul 11)
- Re: Oracle SQL Injection Andrew van der Stock (Jul 11)
- RE: Oracle SQL Injection Mark Keegan (Jul 12)
- Re: Oracle SQL Injection Tim (Jul 12)
- RE: Oracle SQL Injection Mark Keegan (Jul 12)
- RE: Oracle SQL Injection Integrigy (Jul 12)
- Re: Oracle SQL Injection Tim (Jul 11)