RE: ORACLE SQL Injection Question

["Pitts, Christopher C." <Christopher.Pitts () HaverstickConsulting com>]

I would take a long look at the  "Blind SQL Injection" whitepaper that crossed this list a few weeks ago.  I think 
there's a copy at:
http://www.webcohort.com/Blindfolded_SQL_Injection.pdf
If not I can send you a copy.  It talks about doing pretty much exactly what Mike seems to be looking to do.  The 
"Getting the syntax" right section may be able to point you more closely toward where you need to be to gain your 
objective.


Christopher

--
Christopher C. Pitts
CISSP 44503, LPIC
Sr. Consultant
Application Security 


> > > Mike Rauch <michaelraouch () yahoo com> 11/03/03 07:57AM >>>
Hello,
I'm performing an assesment on one of our web
applications (black box type) and I came acrooss two
interesting error messages from an Oracle DB when I
supply a 'SELECT statement. The messages are:
 a)  ORA-00933 SQL Command not properly ended
 b)  ORA-00917 Missing comma

I tried various formats to form an SQL statment that
can be parsed but no success.

Does anyone can shed any light as to what I may be
able to try?

Thanks !

Mike