WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

ORACLE pentest sql injection

From: "Zosen Security" <zosen.security () gmail com>
Date: Sat, 22 Dec 2007 17:07:32 +0100
Hi,

I'm doing a pentest to a web application that uses an ORACLE database.
I suspect that  the application is using bind variables in the queries
 to avoid SQL injection
but when I try to inject a SQL statement in a parameter, it rises a
ORA-01480 exception.

ORA-01480:  trailing null missing from STR bind value
Cause:    A bind variable of type 5 (null-terminated string) does not
contain the terminating null in its buffer.
Action:    Terminate the string with a null character

does it mean that the application is using bind variables to protect
itself against sql injection???

This example shows simple SQL injection. The query uses bind variables
and doesn't rise any exception. It's like the user is typing the
password wrong.

SQL> variable pword varchar2(30);
SQL> exec :uname := 'tom';
SQL> exec :pword := -
  >  'i_dont_know'' or ''x'' = ''x';

PL/SQL procedure successfully
completed.

SQL> select count(*)
 2    from user_table
  3   where username = :uname
  4     and password = :pword
 5  /
  COUNT(*)
----------
         0

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: