Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL INJECTION - ORACLE
From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 10 Dec 2001 15:51:43 -0800

First of all:
Input: ') from getpolicynumber -- "'"
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function,
package, or type is not allowed here
There is no magical comment character in Oracle.  -- is only good in SQL
Server.

[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
or types of arguments in call to 'GETPOLICYNUMBER'
Hmmm, looks like your input is going to a user defined stored procedure.
That could mean that you're out of luck.

Try seeing if using a subselect or a union works.  Here are some examples:
Subselect: (SELECT blah FROM bleh WHERE 1=1)
Union: ') UNION SELECT blah, blah, blah FROM bleh WHERE (''='

I've got a paper on the way soon that'll go into detail on these things.


Kevin Spett
Czar of SQL Injection
SPI Dynamics, Inc.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault