Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Oracle SQL Injection

from [Esteban Martinez Fayo] Network Security [Permanent Link]
Subject: Re: Oracle SQL Injection
Date: Wed, 12 Jul 2006 13:44:01 -0700 (PDT) 
Mark,

This seems to be a SQL Injection vulnerability in a
SELECT statement. You will not be able to inject DDL
statements or UPDATE/INSERT/DELETEs. What you can do
is inject a function call inside the SELECT statement.

If you have access to the Oracle server and you can
create a function, you will be able to execute it
using the SQL Injection with elevated privileges.
If you do not have access to the Oracle server, you
will need to use one of the many Oracle functions
vulnerable to buffer overflow or SQL Injection.

You can see my last year BlackHat presentation for
examples.
You can download it from
http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip
I think the examples in slides 27 and 34 can be
applied in your situation.

Esteban.



--- Mark Keegan <mark.keegan@paradise.net.nz> wrote:


Hi Group, I am performing my first web assessment on
a web application with
an Oracle backend.  Now I need to say that my
background is solidly in the
MS space and Oracle is a new beast to me.  I have
discovered that the
application is open to SQL injection and while I can
perform the typical
UNION queries to harvest information from other
tables I am failing to
execute other statements such as INSERT, DELETES or
DROPs.  In MSSQL I can
use a Semicolon ; to append these types of
statements as follows:
 
;UPDATE sometable SET column x = 'blah'--
 
It appears that Oracle does not like this type of
syntax where we are
appending an UPDATE onto an existing SELECT
statement.  Could someone please
point me in the right direction on how to execute
these type of commands.  
 
I should also say that the application appears to be
replacing a semicolon
with a coma.
 
Many Thanks
Mark
 
 





-------------------------------------------------------------------------

Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common
application-level 
attacks that hackers use to sneak into web
applications today. This 
whitepaper will discuss how traditional CSS attacks
are performed, how to 
secure your site against these attacks and check if
your site is protected. 
Cross-Site Scripting Explained - Download this
whitepaper today!



https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr



--------------------------------------------------------------------------






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Preliminary CFP:The 2nd International Conference on Availability, Reliability and Security (ARES 07), Vienna, Austria, April 10-13, 2007, Manh Tho
Next by Date:  Re: How to perform SSL certificate validation ?, Nagareshwar Talekar
Previous by Thread:  RE: Oracle SQL Injection, Integrigy
Next by Thread:  Convenience or just bad design?, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]