Re: Oracle URL SQL Injection issue

From: Francois Larouche (francois.larouche-ml@sqlpowerinjector.com)
Date: Fri Jan 18 2008 - 16:47:47 EST

• Next message: Clone: "Re: Oracle URL SQL Injection issue"
• Previous message: benoni.martin@accenture.com: "RE: http TRACE option"
• In reply to: Clone: "Oracle URL SQL Injection issue"
• Next in thread: Danux: "Re: Oracle URL SQL Injection issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

In order to make your UNION works you need to have the exact number of
expressions on the SELECT you inject. A start (*) character is not a
good idea. So what I suggest is to try to add one at the time NULL or
'1' after the SELECT and submit it until it doesn't complain about the
incorrect number of columns.

An interesting outcome of your mistake is the presence of the dbs.inc
file. I know it's not part of your question but I would suggest to try
to find in which directory it is (perhaps directly where you are if you
lucky) and request it. Usually a file with inc extension will be
displayed as is with the source code. If it's the case you will see the
exact SQL syntax inside and you will be able to craft your injection
better, among other advantages...

Good luck

Francois
> Hey List
>
> I am pen testing a web app that supplies sql
> parameters on the URL something like
>
> http://x.y.z.a/item.php?Id=90
>
> I did blind sql injection by adding AND 1=1 to confirm
> the vulnerability.
>
> Now when I do
>
> http://x.y.z.a/item.php?Id=90'
>
> I get
>
> ociparse() [function.ociparse]: OCIParse: ORA-01756:
> quoted string not properly terminated in item.php on
> line 312
>
> Then I tried (after confirming presence of usr table
> name)
>
> http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
>
> and I get the error
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-01789: query block has incorrect number of result
> columns in dbs.inc on line 44
>
> I know one valid user account in the oracle DB.
>
> Any idea what's the best strategy to move forward?
>
> I'm not getting any further from here so far.
>
> Any advise / helpo would be much appreciated.
>
> Cheers'
>
>
>
> 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Clone: "Re: Oracle URL SQL Injection issue"
• Previous message: benoni.martin@accenture.com: "RE: http TRACE option"
• In reply to: Clone: "Oracle URL SQL Injection issue"
• Next in thread: Danux: "Re: Oracle URL SQL Injection issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT