WebApp Sec mailing list archives
ORACLE pentest sql injection
From: "Zosen Security" <zosen.security () gmail com>
Date: Sat, 22 Dec 2007 17:07:32 +0100
Hi, I'm doing a pentest to a web application that uses an ORACLE database. I suspect that the application is using bind variables in the queries to avoid SQL injection but when I try to inject a SQL statement in a parameter, it rises a ORA-01480 exception. ORA-01480: trailing null missing from STR bind value Cause: A bind variable of type 5 (null-terminated string) does not contain the terminating null in its buffer. Action: Terminate the string with a null character does it mean that the application is using bind variables to protect itself against sql injection??? This example shows simple SQL injection. The query uses bind variables and doesn't rise any exception. It's like the user is typing the password wrong. SQL> variable pword varchar2(30); SQL> exec :uname := 'tom'; SQL> exec :pword := - > 'i_dont_know'' or ''x'' = ''x'; PL/SQL procedure successfully completed. SQL> select count(*) 2 from user_table 3 where username = :uname 4 and password = :pword 5 / COUNT(*) ---------- 0 ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- ORACLE pentest sql injection Zosen Security (Dec 22)