Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: Danux <danuxx () gmail com>
Date: Fri, 18 Jan 2008 18:46:02 -0600
Hi, when you are using the UNION clause, you need to select the same number of fields between your SQL and the one from the application (id=90), this is accomplished by inserting the number 1 till your reach the exact number. For example, lets suppose that the application is constructing a SQL with 3 fields: select f1, f2, f3 where id=90, then you need to put in your injection 3 fields: http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;-- As your noticed i add 3 fields ("1"), and now there is a match between the 2 clauses, then you can start printing the information by replacing a "1" with the name of the field: http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,user%20from%20usr;-- i replaced the las "1" with the filed user, and it will be printed on the web page. Obviously, by now, you dont know how many fields the query's Application has, so, you need to start adding "1" chars till the application print the information without errors. Finally, you need to assure that the format of the field that you are inserting (user) has the same format like in the application, lets suppose that in the application the 3rd field is an integer one, then because user is a varchar, nothing will be printed, then you would need to start replacing another field, for example the 2nd one: http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,user,1%20from%20usr;-- Try to insert a value in the id field that doesnt exists in the table: for example id=-1 Theres other things you can do, but this should be work. Hope this helps. On Jan 17, 2008 6:21 PM, Clone <c70n3 () yahoo co in> wrote:
Hey List I am pen testing a web app that supplies sql parameters on the URL something like http://x.y.z.a/item.php?Id=90 I did blind sql injection by adding AND 1=1 to confirm the vulnerability. Now when I do http://x.y.z.a/item.php?Id=90' I get ociparse() [function.ociparse]: OCIParse: ORA-01756: quoted string not properly terminated in item.php on line 312 Then I tried (after confirming presence of usr table name) http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;-- and I get the error ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-01789: query block has incorrect number of result columns in dbs.inc on line 44 I know one valid user account in the oracle DB. Any idea what's the best strategy to move forward? I'm not getting any further from here so far. Any advise / helpo would be much appreciated. Cheers' 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Danux, CISSP, OSCP Offensive Security Consultant Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)