Penetration Testing mailing list archives
Re: Oracle SQL Injection vulnerability
From: Attari Attari <c70n3 () yahoo co in>
Date: Wed, 21 Nov 2007 01:56:10 +0000 (GMT)
Hey Zed, You hit the bulls eye. Now I gave 123 OR 1=1-- as the injection in username field.. I don't get the same error on a previous line but a new error further down the code which says: "ORA-01722: invalid number" Looks like the query earlier is: SELECT COUNT(*) FROM TABLENAME WHERE ID = '" & txtUser.Text & "' and PASSWORD = '"... Now this query is fired fine. But the execution breaks in the next line that says (yes error's are not hidden): If CInt(cmd.ExecuteScalar()) > 0 Suggestions what's going wrong here? Thanks a ton guys. --- Zed Qyves <zqyves.spamtrap () gmail com> wrote:
Hello, Wild guess but can the username be numeric only rather than alphanumeric as everyone expects? People often misconceive that the username field as alpha while it may very well not be ...That would explain why you are still getting the "ORA-01756: quoted string not properly terminated" even when you appear to terminating correctly. what if you input "123 or 1=1--" (strip ") in the username field? regards, ./ZQ --
---------------------------------------------------------------------
ÎÏÎÏν á¼Î½ Ïá¿Î´á¾½ á¼ÏαÏκε γá¿Â· Ïὸ δὲ ζηÏοÏμενον á¼Î»ÏÏÏν, á¼ÎºÏεÏγειν δὲ Ïá¼Î¼ÎµÎ»Î¿Ïμενον. ÎιδίÏÎ¿Ï Ï Î¤ÏÏÏÎ±Î½Î¿Ï [110]
---------------------------------------------------------------------
Creon In this our land, so said he, those who seek Shall find; unsought, we lose it utterly. Oedipus Rex [110]
---------------------------------------------------------------------
Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle SQL Injection vulnerability Attari Attari (Nov 19)
- Re: Oracle SQL Injection vulnerability Steven Adair (Nov 19)
- Re: Oracle SQL Injection vulnerability Joxean Koret (Nov 19)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- RE: Oracle SQL Injection vulnerability Erin Carroll (Nov 19)
- RE: Oracle SQL Injection vulnerability Paul Melson (Nov 19)
- RE: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- Re: Oracle SQL Injection vulnerability Zed Qyves (Nov 24)
- Re: Oracle SQL Injection vulnerability Attari Attari (Nov 24)
- <Possible follow-ups>
- RE: Oracle SQL Injection vulnerability David Cullen (Nov 24)
- Re: RE: Oracle SQL Injection vulnerability eladexposed (Nov 25)