RE: Oracle SQL Injection vulnerability



Yes. The application isn't escaping special characters in the input field
and is executing the input as a statement. Try a username of %' or a name
like 'admin% and see what you get back. If you're lucky you'll get an error
message but the following statement will be executed "?select id, user_role
from users where name='%' OR NAME LIKE 'ADMIN%'? Ïnjecting SQL commands
without having a valid user account is a pretty severe issue and you should
suggest to your client to set explicit input parameters (A-z, 0-9) and
escape special characters using whichever method applies to their codebase.

You can leverage several tools out there to test further. Off the top of my
head there's SQLNinja, Absinthe, FJ-Injector Framework, NGSS SQL Injector,
and many others.

I'm sure others on the list will have some other suggestion or tips, this
was just a quick response off the cuff.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Attari Attari
Sent: Monday, November 19, 2007 1:32 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Oracle SQL Injection vulnerability

Hi Group,

I'm doing a penetration test for a client on their web
portal. When I give ' on the username field I was received
with an error from the server:

Unspecified error
ORA-01756: quoted string not properly terminated

Does that mean the site is vulnerable to SQL Injection? I
tried ' OR 1=1-- and ' OR '1'='1'-- but I get same error message.

Any help would be much appreciated.

Clone


Meet people who discuss and share your passions. Go to
http://in.promos.yahoo.com/groups


--------------------------------------------------------------
----------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
--------------------------------------------------------------
----------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • RE: [PHP] question about validation and sql injection
    ... question about validation and sql injection ... validating username in php ... what i have read about preventing sql injection there are several ...
    (php.general)
  • PR07-31: Unauthenticated SQL Injection, XSS on Login Page and Username Enumeration on DPSnet Cas
    ... Unauthenticated SQL Injection, XSS and Username Enumeration on ... Progress is an internet based product which enables all parties involved ... ProCheckUp Security Vulnerabilities and Advisories: ...
    (Bugtraq)
  • RE: Intresting case of SQL Injection
    ... then I don't see where the SQL Injection can come into play. ... The application was developed under PHP 4.2.1, Apache and MSSQL. ... single quotes to escape a quote we were allowed to execute our ... we wanted to insert a record on the "users" table (fields username ...
    (Bugtraq)
  • RE: Oracle SQL Injection vulnerability
    ... I am also not too familiar with SQL injection techniques but found the ... careful if they are sharing live oracle databases with the test ... db could bring the server down, especially if you have v.large data sets ... Cenzic finds more, "real" vulnerabilities fast. ...
    (Pen-Test)
  • Re: [PHP] question about validation and sql injection
    ... Usually addslashes is enough to prevent this, but the validation that you have is also enough. ... So if you worried about the sql injection, then use both and you should be fine. ... there are certain conditions for the username. ... special characters while filling the form. ...
    (php.general)