WebApp Sec mailing list archives
RE: ORACLE SQL Injection Question
From: "Pitts, Christopher C." <Christopher.Pitts () HaverstickConsulting com>
Date: Tue, 4 Nov 2003 14:46:42 -0500
I would take a long look at the "Blind SQL Injection" whitepaper that crossed this list a few weeks ago. I think there's a copy at: http://www.webcohort.com/Blindfolded_SQL_Injection.pdf If not I can send you a copy. It talks about doing pretty much exactly what Mike seems to be looking to do. The "Getting the syntax" right section may be able to point you more closely toward where you need to be to gain your objective. Christopher -- Christopher C. Pitts CISSP 44503, LPIC Sr. Consultant Application Security
Mike Rauch <michaelraouch () yahoo com> 11/03/03 07:57AM >>>
Hello, I'm performing an assesment on one of our web applications (black box type) and I came acrooss two interesting error messages from an Oracle DB when I supply a 'SELECT statement. The messages are: a) ORA-00933 SQL Command not properly ended b) ORA-00917 Missing comma I tried various formats to form an SQL statment that can be parsed but no success. Does anyone can shed any light as to what I may be able to try? Thanks ! Mike
Current thread:
- ORACLE SQL Injection Question Mike Rauch (Nov 03)
- Re: ORACLE SQL Injection Question Cesar (Nov 04)
- <Possible follow-ups>
- Re: ORACLE SQL Injection Question Kenneth Duran (Nov 04)
- RE: ORACLE SQL Injection Question Pitts, Christopher C. (Nov 04)