Re: Oracle SQL Injection vulnerability

[Attari Attari <c70n3 () yahoo co in>]

Hey Zed,

You hit the bulls eye. 

Now I gave 123 OR 1=1-- as the injection in username
field.. I don't get the same error on a previous line
but a new error further down the code which says:

"ORA-01722: invalid number"

Looks like the query earlier is:

SELECT COUNT(*) FROM TABLENAME  WHERE ID = '" &
txtUser.Text & "' and PASSWORD =  '"...

Now this query is fired fine. But the execution breaks
in the next line that says (yes error's are not
hidden):
 
If CInt(cmd.ExecuteScalar()) > 0 

Suggestions what's going wrong here?

Thanks a ton guys.

 --- Zed Qyves <zqyves.spamtrap () gmail com> wrote: 
> Hello,
>
> Wild guess but can the username be numeric only
> rather than
> alphanumeric as everyone expects? People often
> misconceive that the
> username field as alpha while it may very well not
> be ...That would
> explain why you are still getting the "ORA-01756:
> quoted string not
> properly terminated" even when you appear to
> terminating correctly.
> what if you input "123 or 1=1--" (strip ") in the
> username field?
>
> regards,
> ./ZQ
>
> -- 
---------------------------------------------------------------------
> Κρέων
> ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ
> ζητούμενον
> ἁλωτόν, ἐκφεύγειν δὲ
> τἀμελούμενον.
> Οιδίπους Τύρρανος [110]
---------------------------------------------------------------------
> Creon
> In this our land, so said he, those who seek  Shall
> find; unsought, we
> lose it utterly.
> Oedipus Rex [110]
---------------------------------------------------------------------
>  


      Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------