Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ORDER BY sql injection help

From: Robin Wood <dninja () gmail com>
Date: Mon, 15 Jun 2009 15:08:41 +0100
2009/6/11  <lister () lihim org>:

Requesting assistance.

An application uses GET and one of the parameters translates to an ORDER BY
in an Oracle SQL query.

I can put in 1 through X where X is a column number to order the output up to X columns.

I can also get ORA errors, so I know I have direct access to the SQL query.

I'm looking for references on possible queries for a query with an injectable
ORDER BY clause.  I'm not sure if it is possible to break out of the ORDER BY
to query other data.



Is Oracle like MS SQL where you can add a ; then a second statement?
The second can then be anything you want.

Robin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: