WebApp Sec mailing list archives
about oracle sql injection
From: limor188 () walla co il
Date: 29 Nov 2005 15:58:14 -0000
hey i need little help,when i try to inject commands into an oracle database example: union select password from dba_users-- gives the error message :ORA-***: query block has incorrect number of result columns i then cycle through different amount of column numbers until i get to something like: UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from dba_users-- which produces the error: ORA-***: expression must have same datatype as corresponding expression 1)Does anyone know a quick way to get all the column types without cycling through manually as that will take 2^22 requests atleast? 2)Is there anyway to get information out of the db without knowing the column types? thanks alot limor
Current thread:
- about oracle sql injection limor188 (Nov 29)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 01)
- Re: about oracle sql injection Richard Moore (Dec 01)
- <Possible follow-ups>
- RE: about oracle sql injection LAROUCHE Francois (Dec 01)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 02)
- Re: Re: about oracle sql injection limor188 (Dec 05)
- RE: Re: about oracle sql injection LAROUCHE Francois (Dec 06)
- RE: RE: Re: about oracle sql injection LAROUCHE Francois (Dec 07)
- Re: RE: Re: about oracle sql injection limor188 (Dec 07)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)