Penetration Testing mailing list archives
Re: SQL INJECTION - ORACLE
From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 10 Dec 2001 15:51:43 -0800
First of all:
Input: ') from getpolicynumber -- "'" Result: Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function, package, or type is not allowed here
There is no magical comment character in Oracle. -- is only good in SQL Server.
[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
or types of arguments in call to 'GETPOLICYNUMBER'
Hmmm, looks like your input is going to a user defined stored procedure.
That could mean that you're out of luck.
Try seeing if using a subselect or a union works. Here are some examples:
Subselect: (SELECT blah FROM bleh WHERE 1=1)
Union: ') UNION SELECT blah, blah, blah FROM bleh WHERE (''='
I've got a paper on the way soon that'll go into detail on these things.
Kevin Spett
Czar of SQL Injection
SPI Dynamics, Inc.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:
- SQL INJECTION - ORACLE foo bar (Dec 10)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: CFM SQL injection Kevin Spett (Dec 19)
- Re: CFM SQL injection Charlie Liserne (Dec 24)
- CFM SQL injection Charlie Liserne (Dec 17)
- Re: SQL INJECTION - ORACLE Michael Haunzwickl (Dec 10)
- Re: SQL INJECTION - ORACLE Kevin Spett (Dec 10)