Network Security: Detailed info on Re: Oracle SQL Injection vulnerability

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Pen-Test

[Top] [All Lists]

Re: Oracle SQL Injection vulnerability

from [Zed Qyves] Network Security

[Permanent Link]

Subject:	Re: Oracle SQL Injection vulnerability
Date:	Tue, 20 Nov 2007 12:04:40 +0200

Hello,

Wild guess but can the username be numeric only rather than
alphanumeric as everyone expects? People often misconceive that the
username field as alpha while it may very well not be ...That would
explain why you are still getting the "ORA-01756: quoted string not
properly terminated" even when you appear to terminating correctly.
what if you input "123 or 1=1--" (strip ") in the username field?

regards,
./ZQ

-- 
---------------------------------------------------------------------
ÎÏÎÏÎ
áÎ ÏáÎá áÏÎÏÎÎ ÎáÂ Ïá Îá ÎÎÏÎÏÎÎÎÎÎ
áÎÏÏÏÎ, áÎÏÎÏÎÎÎÎ Îá ÏáÎÎÎÎÏÎÎÎÎÎ.
ÎÎÎÎÏÎÏÏ ÎÏÏÏÎÎÎÏ [110]
---------------------------------------------------------------------
Creon
In this our land, so said he, those who seek  Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]
---------------------------------------------------------------------

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Oracle SQL Injection vulnerability, Attari Attari Re: Oracle SQL Injection vulnerability, Steven Adair Re: Oracle SQL Injection vulnerability, Joxean Koret Re: Oracle SQL Injection vulnerability, Attari Attari RE: Oracle SQL Injection vulnerability, Erin Carroll RE: Oracle SQL Injection vulnerability, Paul Melson RE: Oracle SQL Injection vulnerability, Attari Attari Re: Oracle SQL Injection vulnerability, Zed Qyves <= Re: Oracle SQL Injection vulnerability, Attari Attari Re: Oracle SQL Injection vulnerability, Zed Qyves RE: Oracle SQL Injection vulnerability, David Cullen Re: RE: Oracle SQL Injection vulnerability, eladexposed

Previous by Date:	Re: Oracle SQL Injection vulnerability, Attari Attari
Next by Date:	Re: Network Security Assessment 2nd Edition, Chris McNab
Previous by Thread:	RE: Oracle SQL Injection vulnerability, Attari Attari
Next by Thread:	Re: Oracle SQL Injection vulnerability, Attari Attari
Indexes:	[Date] [Thread] [Top] [All Lists]