Penetration Testing mailing list archives

Re: Oracle URL SQL Injection issue

From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Fri, 18 Jan 2008 13:47:47 -0800

Hi,

In order to make your UNION works you need to have the exact number ofexpressions on the SELECT you inject. A start (*) character is not agood idea. So what I suggest is to try to add one at the time NULL or'1' after the SELECT and submit it until it doesn't complain about theincorrect number of columns.

An interesting outcome of your mistake is the presence of the dbs.incfile. I know it's not part of your question but I would suggest to tryto find in which directory it is (perhaps directly where you are if youlucky) and request it. Usually a file with inc extension will bedisplayed as is with the source code. If it's the case you will see theexact SQL syntax inside and you will be able to craft your injectionbetter, among other advantages...


Good luck

Francois

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to confirm
the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90&apos;

I get

ociparse() [function.ociparse]: OCIParse: ORA-01756:
quoted string not properly terminated in item.php on
line 312

Then I tried (after confirming presence of usr table
name)

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--

and I get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01789: query block has incorrect number of result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails in your inbox. Go to 
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
  - Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)