Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Oracle URL SQL Injection issue

from [Francois Larouche] Network Security [Permanent Link]
Subject: Re: Oracle URL SQL Injection issue
Date: Fri, 18 Jan 2008 13:47:47 -0800 
Hi,

In order to make your UNION works you need to have the exact number of expressions on the SELECT you inject. A start (*) character is not a good idea. So what I suggest is to try to add one at the time NULL or '1' after the SELECT and submit it until it doesn't complain about the incorrect number of columns.

An interesting outcome of your mistake is the presence of the dbs.inc file. I know it's not part of your question but I would suggest to try to find in which directory it is (perhaps directly where you are if you lucky) and request it. Usually a file with inc extension will be displayed as is with the source code. If it's the case you will see the exact SQL syntax inside and you will be able to craft your injection better, among other advantages...

Good luck

Francois 
Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to confirm
the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90'

I get 

ociparse() [function.ociparse]: OCIParse: ORA-01756:
quoted string not properly terminated in item.php on
line 312

Then I tried (after confirming presence of usr table
name)

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--

and I get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01789: query block has incorrect number of result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails in your inbox. Go to 
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: http TRACE option, benoni.martin
Next by Date:  Re: Oracle URL SQL Injection issue, Clone
Previous by Thread:  Re: Oracle URL SQL Injection issue, Jason Thompson
Next by Thread:  Re: Oracle URL SQL Injection issue, Danux
Indexes:  [Date] [Thread] [Top] [All Lists]