Penetration Testing mailing list archives
SQL INJECTION - ORACLE
From: "foo bar" <badb0t () hotmail com>
Date: Mon, 10 Dec 2001 16:06:05 +0000
HelloI am performing a vulnerability test against a web application and would like some advice. The application is running IIS 4.0 - all the remote exploits are patched. The backend is just a bunch of VB scripts, getting info from an oracle8 server on AIX.
Most of the places where input is accepted must strip out unexpected characters, but I located one field on a form where input was not properly validated. I've tried posting different strings into the field with limited success. All I'm able to get is errors back. I'd like to take advantage of some stored procedures in oracle. Could you look at the log of my activity below and provide advice on where to go next in order to compromise the database, or the server itself? I'd even be happy with the ability to run a successful query through injection. It looks like their using a package or stored procedure to post the query, and I'm having trouble breaking out of it. Is it possible, if so, how should I go about it?
Input: ' Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right parenthesis
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 Input: ') Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not found where expected
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 Input: ') from Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 Input: ') from policy Result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not properly ended
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 Input: ') from policy -- "'" Result: Microsoft OLE DB Provider for ODBC Drivers error '80004005'[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong number or types of arguments in call to 'GETPOLICYNUMBER'
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 Input: ') from getpolicynumber -- "'" Result: Microsoft OLE DB Provider for ODBC Drivers error '80004005'[Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function, package, or type is not allowed here
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)