Re: Oracle URL SQL Injection issue

On Jan 17, 2008, at 6:21 PM, Clone wrote:
> http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
>
> and I get the error
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-01789: query block has incorrect number of result
> columns in dbs.inc on line 44

The hint is in the error. Your injected UNION must select the same  
number of columns as the original query. Vary the number of columns  
instead of doing a 'select *.' If you don't know the column names, you  
can do something like 'select 1,2,3,4,5,6,7 from usr'. Since you say  
you have a valid account on the db server, I guess you could go ahead  
and find out the schema for the usr table.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------