Hi,
I'm doing a pentest to a web application that uses an ORACLE database.
I suspect that the application is using bind variables in the queries
to avoid SQL injection
but when I try to inject a SQL statement in a parameter, it rises a
ORA-01480 exception.
ORA-01480: trailing null missing from STR bind value
Cause: A bind variable of type 5 (null-terminated string) does not
contain the terminating null in its buffer.
Action: Terminate the string with a null character
does it mean that the application is using bind variables to protect
itself against sql injection???
This example shows simple SQL injection. The query uses bind variables
and doesn't rise any exception. It's like the user is typing the
password wrong.
SQL> variable pword varchar2(30);
SQL> exec :uname := 'tom';
SQL> exec :pword := -
> 'i_dont_know'' or ''x'' = ''x';
PL/SQL procedure successfully
completed.
SQL> select count(*)
2 from user_table
3 where username = :uname
4 and password = :pword
5 /
COUNT(*)
----------
0
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
