Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: Clone <c70n3 () yahoo co in>
Date: Mon, 21 Jan 2008 20:31:25 +0000 (GMT)
Well I already tried Id=90; select * from usr I got following OCIStmtExecute: ORA-00911: invalid character in dbs.inc on line 44 BTW how serious is the issue? Can an attacker delete or modify database using the current issue? --- Joe Yong <justasqlguy () gmail com> wrote:
It just looks like your query is invalid. While SQL injection is easier to perform than trying to bring some strong encryption, it still requires that your SQL is well formed. In your case, your input string probably does something along the lines of SELECT col1, col2, FROM Tbl_Foo WHERE item_id=:cItemID AND 1=1 is the most commonly cited example for SQL Injection because it will work in almost any situation including the above. However, it doesn't really get you anywhere interesting, takes a little more than that to have fun. Unfortunately, lots of people who write or talk about SQL Injection neglect to mention that you really do need to know what you're writing (just like script kiddies). Your statement, SELECT * FROM usr probably returns a lot more columns than your first query so the UNION will fail. Nothing wrong with the vulnerability. Just regular SQL syntax error. :-) Try something like ; SELECT * FROM usr Bottom line is, you gotta have well formed SQL. joe. On 1/17/08, Clone <c70n3 () yahoo co in> wrote:Hey List I am pen testing a web app that supplies sql parameters on the URL something like http://x.y.z.a/item.php?Id=90 I did blind sql injection by adding AND 1=1 toconfirmthe vulnerability. Now when I do http://x.y.z.a/item.php?Id=90' I get ociparse() [function.ociparse]: OCIParse:ORA-01756:quoted string not properly terminated in item.phponline 312 Then I tried (after confirming presence of usrtablename)
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
and I get the error ociexecute() [function.ociexecute]:OCIStmtExecute:ORA-01789: query block has incorrect number ofresultcolumns in dbs.inc on line 44 I know one valid user account in the oracle DB. Any idea what's the best strategy to move forward? I'm not getting any further from here so far. Any advise / helpo would be much appreciated. Cheers' 5, 50, 500, 5000 - Store N number of mails inyour inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solutionFREE today!http://www.cenzic.com/downloads
------------------------------------------------------------------------
Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)