From: Zed Qyves (zqyves.spamtrap@gmail.com)
Date: Thu Nov 22 2007 - 03:32:00 EST
Hello,
first things first...1) The SELECT query doesn't seem to be the one you are injecting sincethere exist single quotes rather than not as I suspected in theprevious email. I am assuming that txtUser.Text is the value you areposting.2) You could be failing because the cmd.ExecuteScalar() is returningNULL that cant be converted to CInt. However I would expect to begetting an ASP.NET error rather than Oracle error in that situation.3) How do you know that the previous query fires ok?cmd.ExecuteScalar() is the actual execution of the query. do you haveany idea from the error messages as to what is cmd pointing to at thisplace?4)For Oracle to be complaining you are most likely to be insertingsomething rather than selecting. maybe there is an active sessionstable that your data is reposted maybe some other reason... have alook at the whole page exchange from a logon via an inline proxy. mostlikely what you put as a username is stored in a session object and isused subsequently, if you are lucky it is the cookie tha
t it stores itin (for pen testers laughing yes in 2007 Anno Domini cookies are stillused in web apps to make decisions)
now moving to the exploitation part... try the following replacingUSERSTABLENAME with the one you know exists...usernamefield: ||(select max(id) from USERSTABLENAME)||passwordfield: ||(select password from USERSTABLENAME where id=(selectmax(id) from USERSTABLENAME))||
or
usernamefield: '||(select max(id) from USERSTABLENAME)||'passwordfield: '||(select password from USERSTABLENAME whereid=(select max(id) from USERSTABLENAME))||'
let us know how it goes...
In a more general note I would suggest using a valid number inusername field and injecting the password field with:anything' or 'd'='d'--anything' or 'd'='d
./ZQ
On Nov 21, 2007 3:56 AM, Attari Attari <c70n3@yahoo.co.in> wrote:> Hey Zed,>> You hit the bulls eye.>> Now I gave 123 OR 1=1-- as the injection in username> field.. I don't get the same error on a previous line> but a new error further down the code which says:>> "ORA-01722: invalid number">> Looks like the query earlier is:>> SELECT COUNT(*) FROM TABLENAME WHERE ID = '" &> txtUser.Text & "' and PASSWORD = '"...>> Now this query is fired fine. But the execution breaks> in the next line that says (yes error's are not> hidden):>> If CInt(cmd.ExecuteScalar()) > 0>> Suggestions what's going wrong here?>> Thanks a ton guys.>>> --- Zed Qyves <zqyves.spamtrap@gmail.com> wrote:> > Hello,> >> > Wild guess but can the username be numeric only> > rather than> > alphanumeric as everyone expects? People often> > misconceive that the> > username field as alpha while it may very well not> > be ...That would> > explain why you are still getting the "ORA-01756:> > quoted string not> > properly terminated" even when you ap
pear to> > terminating correctly.> > what if you input "123 or 1=1--" (strip ") in the> > username field?> >> > regards,> > ./ZQ> >> > --> >> ---------------------------------------------------------------------> > Κρέων> > ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ> > ζητούμενον> > ἁλωτόν, ἐκφεύγειν δὲ> > τἀμελούμενον.> > Οιδίπους Τύρρανος [110]> >> ---------------------------------------------------------------------> > Creon> > In this our land, so said he, those who seek Shall> > find; unsought, we> > lose it utterly.> > Oedipus Rex [110]> >> ---------------------------------------------------------------------> >>>> Bring your gang together - do your thing. Go to http://in.promos.yahoo.com/groups>>
-- ---------------------------------------------------------------------Κρέωνἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενονἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.Οιδίπους Τύρρανος [110]---------------------------------------------------------------------CreonIn this our land, so said he, those who seek Shall find; unsought, welose it utterly.Oedipus Rex [110]---------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT