SQL INJECTION - ORACLE
From: foo bar (badb0t@hotmail.com)Date: 12/10/01
- Previous message: Adrien de Beaupre: "Re: Writing to Windows Security Log"
- Next in thread: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
- Reply: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
- Reply: Kevin Spett: "Re: SQL INJECTION - ORACLE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "foo bar" <badb0t@hotmail.com> To: webappsec@securityfocus.com, pen-test@securityfocus.com Date: Mon, 10 Dec 2001 16:06:05 +0000
Hello
I am performing a vulnerability test against a web application and would
like some advice. The application is running IIS 4.0 - all the remote
exploits are patched. The backend is just a bunch of VB scripts, getting
info from an oracle8 server on AIX.
Most of the places where input is accepted must strip out unexpected
characters, but I located one field on a form where input was not properly
validated. I've tried posting different strings into the field with limited
success. All I'm able to get is errors back. I'd like to take advantage of
some stored procedures in oracle. Could you look at the log of my activity
below and provide advice on where to go next in order to compromise the
database, or the server itself? I'd even be happy with the ability to run a
successful query through injection. It looks like their using a package or
stored procedure to post the query, and I'm having trouble breaking out of
it. Is it possible, if so, how should I go about it?
Input: '
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right
parenthesis
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
Input: ')
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not found
where expected
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
Input: ') from
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
Input: ') from policy
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not
properly ended
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
Input: ') from policy -- "'"
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong number
or types of arguments in call to 'GETPOLICYNUMBER'
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
Input: ') from getpolicynumber -- "'"
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function,
package, or type is not allowed here
E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Adrien de Beaupre: "Re: Writing to Windows Security Log"
- Next in thread: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
- Reply: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
- Reply: Kevin Spett: "Re: SQL INJECTION - ORACLE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
