From: Zosen Security (zosen.security@gmail.com)
Date: Sat Dec 22 2007 - 11:07:32 EST
Hi,
I'm doing a pentest to a web application that uses an ORACLE database.
I suspect that the application is using bind variables in the queries
to avoid SQL injection
but when I try to inject a SQL statement in a parameter, it rises a
ORA-01480 exception.
ORA-01480: trailing null missing from STR bind value
Cause: A bind variable of type 5 (null-terminated string) does not
contain the terminating null in its buffer.
Action: Terminate the string with a null character
does it mean that the application is using bind variables to protect
itself against sql injection???
This example shows simple SQL injection. The query uses bind variables
and doesn't rise any exception. It's like the user is typing the
password wrong.
SQL> variable pword varchar2(30);
SQL> exec :uname := 'tom';
SQL> exec :pword := -
> 'i_dont_know'' or ''x'' = ''x';
PL/SQL procedure successfully
completed.
SQL> select count(*)
2 from user_table
3 where username = :uname
4 and password = :pword
5 /
COUNT(*)
----------
0
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT