Penetration Testing mailing list archives
Re: Oracle URL SQL Injection issue
From: Todd Manning <tmanning () bpointsys com>
Date: Sun, 20 Jan 2008 23:03:38 -0600
On Jan 17, 2008, at 6:21 PM, Clone wrote:
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;-- and I get the error ociexecute() [function.ociexecute]: OCIStmtExecute: ORA-01789: query block has incorrect number of result columns in dbs.inc on line 44
The hint is in the error. Your injected UNION must select the same number of columns as the original query. Vary the number of columns instead of doing a 'select *.' If you don't know the column names, you can do something like 'select 1,2,3,4,5,6,7 from usr'. Since you say you have a valid account on the db server, I guess you could go ahead and find out the schema for the usr table.
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Oracle URL SQL Injection issue, (continued)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
- Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Clone (Jan 22)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- Re: Oracle URL SQL Injection issue Clone (Jan 23)