Penetration Testing mailing list archives
RE: ORDER BY sql injection help
From: SuRGeoN <srgn.ml () googlemail com>
Date: Sat, 13 Jun 2009 20:30:14 +0100
For oracle after an ORDER BY you can inject something like: CASE WHEN (1=1) THEN <column_name1> ELSE <column_name2> END CASE WHEN (1=0) THEN <column_name1> ELSE <column_name2> END If you see that in the two different above queries different order by results then you should be able to use various tools to exploit and extract data from the oracle database. You might be able also to execute utl_http.request (requests to your web server) or utl_inaddr.get_host_address (reguests to a domain that you own and sniffing) to get easier the results back to you. SuRGeoN -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of lister () lihim org Sent: Thursday, June 11, 2009 9:46 PM To: pen-test () securityfocus com Subject: ORDER BY sql injection help Requesting assistance. An application uses GET and one of the parameters translates to an ORDER BY in an Oracle SQL query. I can put in 1 through X where X is a column number to order the output up to X columns. I can also get ORA errors, so I know I have direct access to the SQL query. I'm looking for references on possible queries for a query with an injectable ORDER BY clause. I'm not sure if it is possible to break out of the ORDER BY to query other data. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ORDER BY sql injection help lister (Jun 12)
- Re: ORDER BY sql injection help Trace (Jun 15)
- RE: ORDER BY sql injection help SuRGeoN (Jun 15)
- Re: ORDER BY sql injection help arvind doraiswamy (Jun 15)
- Re: ORDER BY sql injection help Robin Wood (Jun 15)