RE: Oracle SQL Injection

[Mark Keegan <mark.keegan () paradise net nz>]

Yes that could work - I know that in MSSQL I would have to do syntax like
';exec sp_addlogin.  Once again I don't think Oracle likes terminating the
SELECT with a semicolon in this manner.. Maybe as you say if there is a proc
or function I can make use of in the subselect that might work.  

Anyone with a suggestion??

 

-----Original Message-----
From: Tim [mailto:tim-security () sentinelchicken org] 
Sent: Wednesday, 12 July 2006 2:31 p.m.
To: Mark Keegan
Cc: webappsec () securityfocus com
Subject: Re: Oracle SQL Injection

> Thanks for the reply Tim.  Yes I have read these articles and also the 
> PeteFinnigan.com site.  They are both very good resources but although 
> they allude to being able to perform UPDATES etc I couldn't see a good
example.
> As for the SUBSELECT suggestion, I did think about that one myself 
> however I didn't know you can embed UPDATES or DELETES within a 
> SUBSELECT.  Could you please provide some sample syntax on this.


Hmm, perhaps you're right, I don't see anything indicating you can use an
update/delete/insert in a subquery.  I'm no Oracle expert and I don't have a
system to test on right now.  Can you call built-in stored procedures from
your point of injection?  Maybe some of them will be of use to you.

good luck,
tim




-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------