Penetration Testing mailing list archives

RE: Oracle URL SQL Injection issue

From: "Thakrar, Saurabh" <saurabh.thakrar () roche com>
Date: Fri, 18 Jan 2008 13:37:25 -0500

Try using NetCat, add on tool on Firefox for SQL Injections...

--

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Clone
Sent: Thursday, January 17, 2008 7:21 PM
To: pen-test () securityfocus com
Subject: Oracle URL SQL Injection issue

Hey List

I am pen testing a web app that supplies sql
parameters on the URL something like

http://x.y.z.a/item.php?Id=90

I did blind sql injection by adding AND 1=1 to confirm
the vulnerability.

Now when I do

http://x.y.z.a/item.php?Id=90&apos;

I get 

ociparse() [function.ociparse]: OCIParse: ORA-01756:
quoted string not properly terminated in item.php on
line 312

Then I tried (after confirming presence of usr table
name)

http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--

and I get the error

ociexecute() [function.ociexecute]: OCIStmtExecute:
ORA-01789: query block has incorrect number of result
columns in dbs.inc on line 44

I know one valid user account in the oracle DB.

Any idea what's the best strategy to move forward?

I'm not getting any further from here so far.

Any advise / helpo would be much appreciated.

Cheers'



      5, 50, 500, 5000 - Store N number of mails in your inbox. Go to
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Oracle URL SQL Injection issue Clone (Jan 18)
- Re: Oracle URL SQL Injection issue jeffrey rivero (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Cesar (Jan 23)
- Re: Oracle URL SQL Injection issue Jason Thompson (Jan 22)
- Re: Oracle URL SQL Injection issue Francois Larouche (Jan 22)
- Re: Oracle URL SQL Injection issue Danux (Jan 22)
- RE: Oracle URL SQL Injection issue Thakrar, Saurabh (Jan 22)
  - Re: Oracle URL SQL Injection issue David Howe (Jan 23)
- Re: Oracle URL SQL Injection issue Joe Yong (Jan 22)
  - Re: Oracle URL SQL Injection issue Clone (Jan 22)
    - Re: Oracle URL SQL Injection issue Joxean Koret (Jan 23)
- Re: Oracle URL SQL Injection issue Todd Manning (Jan 22)
- <Possible follow-ups>
- Re: Oracle URL SQL Injection issue Clone (Jan 23)