WebApp Sec mailing list archives
Re: about oracle sql injection
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Thu, 01 Dec 2005 12:40:58 +0100
Mariusz Pękala wrote:
On 2005-11-29 15:58:14 -0000 (Tue, Nov), limor188 () walla co il wrote:2)Is there anyway to get information out of the db without knowing the column types?Maybe NULLs will pass?
I'm not sure if NULLs are casted automatically to ints/string in Oracle. They might work for some data types but not for others. Any Oracle expert out there?
IMHO, the best you can do is to first use a 'group by' injection to determine the *name* of the parameters in the select query (you can sometimes infer the data type by it) and then go ahead an determine the data type if you are unable to infer it:
So if you have: SELECT X, Y, Z FROM A WHERE PARAM=<VAL> And you inject in <VAL> try using <VAL> = 1 group by 0 [ You will get an error that X is is not being grouped by ] <VAL> = 1 group by X [ You will get an error that Y is is not being grouped by ] <VAL> = 1 group by X, Y [ You will get an error that Z is is not being grouped by ] <VAL> = 1 group by X, Y, Z [ sentence suceeds ]Now that you have deconstucted the queries you can make some assumptions based on parameter name (uid might be an int, name might be a char). Test those assumptions to see if they prove ok and, for those that don't, then determine the type of each field with:
<VAL>=1 or X=1 [ If no error is returned then it's an integer type ] <VAL>=1 or X='a' [ If no error is returned then it's an char, nchar or varchar type ] <VAL>=1 or X=sysdate [ If no error is returned then it's a date type ] ...And so on, for more datatypes, there are ~23, check Oracle's documentation or Google: http://www.ss64.com/orasyntax/datatypes.html, those three are the most common ones.
I'd say you would need only to generate 22 * 23 queries (worst case) to find all the data types (not 2^22 as you mention) and the three above will probably work for most of the data so you are probably talking about maybe 200-300 different queries which can be easily automated with a script. [1]
Regards Javier[1] Hint: Just run through all the data types until you don't have an ORA- error in the repsonse. Put the most common data type queries first.
Current thread:
- about oracle sql injection limor188 (Nov 29)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 01)
- Re: about oracle sql injection Richard Moore (Dec 01)
- <Possible follow-ups>
- RE: about oracle sql injection LAROUCHE Francois (Dec 01)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 02)
- Re: Re: about oracle sql injection limor188 (Dec 05)
- RE: Re: about oracle sql injection LAROUCHE Francois (Dec 06)
- RE: RE: Re: about oracle sql injection LAROUCHE Francois (Dec 07)
- Re: RE: Re: about oracle sql injection limor188 (Dec 07)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)