Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Oracle URL SQL Injection issue
From: Clone <c70n3 () yahoo co in>
Date: Mon, 21 Jan 2008 20:31:25 +0000 (GMT)

Well I already tried 

Id=90; select * from usr

I got following

OCIStmtExecute: ORA-00911: invalid character in
dbs.inc on line 44


BTW how serious is the issue? Can an attacker delete
or modify database using the current issue?

--- Joe Yong <justasqlguy () gmail com> wrote:

It just looks like your query is invalid.

While SQL injection is easier to perform than trying
to bring some
strong encryption, it still requires that your SQL
is well formed.

In your case, your input string probably does
something along the
lines of SELECT col1, col2, FROM Tbl_Foo WHERE
item_id=:cItemID

AND 1=1 is the most commonly cited example for SQL
Injection because
it will work in almost any situation including the
above. However, it
doesn't really get you anywhere interesting, takes a
little more than
that to have fun. Unfortunately, lots of people who
write or talk
about SQL Injection neglect to mention that you
really do need to know
what you're writing (just like script kiddies).

Your statement, SELECT * FROM usr probably returns a
lot more columns
than your first query so the UNION will fail.
Nothing wrong with the
vulnerability. Just regular SQL syntax error. :-)
Try something like

; SELECT * FROM usr

Bottom line is, you gotta have well formed SQL.


joe.


On 1/17/08, Clone <c70n3 () yahoo co in> wrote:
Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to
confirm
the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90&apos;

I get

ociparse() [function.ociparse]: OCIParse:
ORA-01756:
quoted string not properly terminated in item.php
on
line 312

Then I tried (after confirming presence of usr
table
name)



http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--

and I get the error

ociexecute() [function.ociexecute]:
OCIStmtExecute:
ORA-01789: query block has incorrect number of
result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



     5, 50, 500, 5000 - Store N number of mails in
your inbox. Go to

http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution
FREE today!

http://www.cenzic.com/downloads


------------------------------------------------------------------------






      Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault