Re: SQL INJECTION - ORACLE

From: Michael Haunzwickl (michael.haunzwickl@roehrer.com)
Date: 12/10/01

Previous message: Bugtraq: "RE: Stunnel Problems"
Next in thread: Charlie Liserne: "CFM SQL injection"
Next in thread: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Reply: Charlie Liserne: "CFM SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Michael Haunzwickl" <michael.haunzwickl@roehrer.com>
Date: Mon, 10 Dec 2001 18:25:06 GMT
To: foo bar <badb0t@hotmail.com>

Hm ...

I would try:

Input: „select * from ' & shell („Dir c:\“) & ' sys.tab$“

this will hopefully give you a dir of c:\

Best regards

Der Schakal

>>>>>>>>>>>>>>>>>> Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<<

Am 10.12.2001, 17:06:05, schrieb "foo bar" <badb0t@hotmail.com> zum Thema
SQL INJECTION - ORACLE:

> Hello
> I am performing a vulnerability test against a web application and would
> like some advice. The application is running IIS 4.0 - all the remote
> exploits are patched. The backend is just a bunch of VB scripts, getting
> info from an oracle8 server on AIX.

> Most of the places where input is accepted must strip out unexpected
> characters, but I located one field on a form where input was not
properly
> validated. I've tried posting different strings into the field with
limited
> success. All I'm able to get is errors back. I'd like to take advantage
of
> some stored procedures in oracle. Could you look at the log of my
activity
> below and provide advice on where to go next in order to compromise the
> database, or the server itself? I'd even be happy with the ability to
run a
> successful query through injection. It looks like their using a package
or
> stored procedure to post the query, and I'm having trouble breaking out
of
> it. Is it possible, if so, how should I go about it?

> Input: '
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right
> parenthesis

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ')
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not
found
> where expected

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from policy
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not
> properly ended

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from policy -- "'"
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong
number
> or types of arguments in call to 'GETPOLICYNUMBER'

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> Input: ') from getpolicynumber -- "'"
> Result:
> Microsoft OLE DB Provider for ODBC Drivers error '80004005'

> [Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure,
function,
> package, or type is not allowed here

> E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line
128

> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: Bugtraq: "RE: Stunnel Problems"
Next in thread: Charlie Liserne: "CFM SQL injection"
Next in thread: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Reply: Charlie Liserne: "CFM SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Oracle Database Access via IIS 6.0 ASP Pages on Windows 2003 S
... >Oracle 10g Client is installed on the Windows Server. ... >This is my standard DSN Less connection. ... >Microsoft OLE DB Provider for ODBC Drivers error '80004005' ...
(microsoft.public.inetserver.iis)
SQL INJECTION - ORACLE
... Microsoft OLE DB Provider for ODBC Drivers error '80040e14' ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
Re: SQL issue
... Microsoft OLE DB Provider for ODBC Drivers error '80040e14' ... DB provider instead of ODBC. ... Please reply to the newsgroup. ...
(microsoft.public.scripting.vbscript)
Re: Drivers SQLSetConnectAttr failed
... Microsoft OLE DB Provider for ODBC Drivers error '80004005' ... Please reply to the newsgroup. ...
(microsoft.public.inetserver.asp.db)
Re: Oracle & SQL Server
... > Then consider to create Views to make it easy to access the remote Oracle ... Microsoft OLE DB Provider for SQL Server ...
(microsoft.public.sqlserver.server)

www.derkeiler.com > Mailing-Lists > securityfocus > pen-test > 2001-12