Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: "Joe Yong" <justasqlguy () gmail com>
Date: Sat, 19 Jan 2008 17:44:30 -0800
It just looks like your query is invalid. While SQL injection is easier to perform than trying to bring some strong encryption, it still requires that your SQL is well formed. In your case, your input string probably does something along the lines of SELECT col1, col2, FROM Tbl_Foo WHERE item_id=:cItemID AND 1=1 is the most commonly cited example for SQL Injection because it will work in almost any situation including the above. However, it doesn't really get you anywhere interesting, takes a little more than that to have fun. Unfortunately, lots of people who write or talk about SQL Injection neglect to mention that you really do need to know what you're writing (just like script kiddies). Your statement, SELECT * FROM usr probably returns a lot more columns than your first query so the UNION will fail. Nothing wrong with the vulnerability. Just regular SQL syntax error. :-) Try something like ; SELECT * FROM usr Bottom line is, you gotta have well formed SQL. joe. On 1/17/08, Clone <c70n3 () yahoo co in> wrote:
Hey List I am pen testing a web app that supplies sql parameters on the URL something like http://x.y.z.a/item.php?Id=90 I did blind sql injection by adding AND 1=1 to confirm the vulnerability. Now when I do http://x.y.z.a/item.php?Id=90' I get ociparse() [function.ociparse]: OCIParse: ORA-01756: quoted string not properly terminated in item.php on line 312 Then I tried (after confirming presence of usr table name) http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;-- and I get the error ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-01789: query block has incorrect number of result columns in dbs.inc on line 44 I know one valid user account in the oracle DB. Any idea what's the best strategy to move forward? I'm not getting any further from here so far. Any advise / helpo would be much appreciated. Cheers' 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)