Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Oracle SQL Injection

from [Mark Keegan] Network Security [Permanent Link]
Subject: RE: Oracle SQL Injection
Date: Wed, 12 Jul 2006 14:15:12 +1200 
Thanks for the reply Tim.  Yes I have read these articles and also the
PeteFinnigan.com site.  They are both very good resources but although they
allude to being able to perform UPDATES etc I couldn't see a good example.  

As for the SUBSELECT suggestion, I did think about that one myself however I
didn't know you can embed UPDATES or DELETES within a SUBSELECT.  Could you
please provide some sample syntax on this.

Thanks
Mark MCSD & C|EH 

-----Original Message-----
From: Tim [mailto:tim-security@sentinelchicken.org] 
Sent: Wednesday, 12 July 2006 10:25 a.m.
To: Mark Keegan
Cc: webappsec@securityfocus.com
Subject: Re: Oracle SQL Injection

Mark,


It appears that Oracle does not like this type of syntax where we are 
appending an UPDATE onto an existing SELECT statement.  Could someone 
please point me in the right direction on how to execute these type of

commands.

 
I should also say that the application appears to be replacing a 
semicolon with a coma.



Have you tried using sub queries?

Also, check out these (if you haven't already seen them):
  http://www.securityfocus.com/infocus/1644
  http://www.securityfocus.com/infocus/1646

good luck,
tim

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------





-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Intrusion Detection, David Ryan
Next by Date:  Convenience or just bad design?, Saqib Ali
Previous by Thread:  Re: Oracle SQL Injection, Andrew van der Stock
Next by Thread:  Re: Oracle SQL Injection, Tim
Indexes:  [Date] [Thread] [Top] [All Lists]