Home page logo

pen-test logo Penetration Testing mailing list archives

Oracle URL SQL Injection issue
From: Clone <c70n3 () yahoo co in>
Date: Fri, 18 Jan 2008 00:21:07 +0000 (GMT)

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like


I did blind sql injection by adding AND 1=1 to confirm
the vulnerability.

Now when I do


I get 

ociparse() [function.ociparse]: OCIParse: ORA-01756:
quoted string not properly terminated in item.php on
line 312

Then I tried (after confirming presence of usr table


and I get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01789: query block has incorrect number of result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.


      5, 50, 500, 5000 - Store N number of mails in your inbox. Go to 

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]