WebApp Sec: RE: Oracle SQL Injection

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

RE: Oracle SQL Injection

From: Mark Keegan <mark.keegan () paradise net nz>
Date: Wed, 12 Jul 2006 14:15:12 +1200

Thanks for the reply Tim.  Yes I have read these articles and also the
PeteFinnigan.com site.  They are both very good resources but although they
allude to being able to perform UPDATES etc I couldn't see a good example.  

As for the SUBSELECT suggestion, I did think about that one myself however I
didn't know you can embed UPDATES or DELETES within a SUBSELECT.  Could you
please provide some sample syntax on this.

Thanks
Mark MCSD & C|EH 

-----Original Message-----
From: Tim [mailto:tim-security () sentinelchicken org] 
Sent: Wednesday, 12 July 2006 10:25 a.m.
To: Mark Keegan
Cc: webappsec () securityfocus com
Subject: Re: Oracle SQL Injection

Mark,

It appears that Oracle does not like this type of syntax where we are 
appending an UPDATE onto an existing SELECT statement.  Could someone 
please point me in the right direction on how to execute these type of

commands.

 
I should also say that the application appears to be replacing a 
semicolon with a coma.



Have you tried using sub queries?

Also, check out these (if you haven't already seen them):
  http://www.securityfocus.com/infocus/1644
  http://www.securityfocus.com/infocus/1646

good luck,
tim

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

By Date By Thread

Current thread:

Oracle SQL Injection Mark Keegan (Jul 11)
- Re: Oracle SQL Injection Tim (Jul 11)
  - Re: Oracle SQL Injection Cesar (Jul 11)
  - Re: Oracle SQL Injection Andrew van der Stock (Jul 11)
  - RE: Oracle SQL Injection Mark Keegan (Jul 12)
    - Re: Oracle SQL Injection Tim (Jul 12)
    - RE: Oracle SQL Injection Mark Keegan (Jul 12)
    - RE: Oracle SQL Injection Integrigy (Jul 12)
- Re: Oracle SQL Injection Esteban Martinez Fayo (Jul 12)