RE: about oracle sql injection

["LAROUCHE Francois" <Francois.Larouche () accorservices com>]

Hi,

> IMHO, the best you can do is to first use a 'group by' injection to
> determine the *name* of the parameters in the select query

Well I don't want to be a pain but GROUP BY 0 or by any number won't work neither on SQL Server nor Oracle. (unless you 
know a way I don't. If you do please enlighten me :) )

Good trick is using HAVING 1=1 but it will work only on SQL Server, on Oracle it will respond like if HAVING 1=1 has 
never been there.

> Maybe NULLs will pass?

And yes null will work pretty fine, actually the trick is to try null until it won't raise an error stating that there 
is a incorrect number of results. Don't forget to add FROM DUAL in your union query. If not you will never get any 
result back on the web page in case you want to use only the some Oracle variable such as "user".

Once you have found the right number of columns, you start to remove the first null and replace it with a 1 and see 
what is the error message, if there is one try with '1'. Now it should work.

If it's ok, you move to the next one (if you have to, usually you need only one that will display what you need on the 
web page)

Good luck!

François Larouche

______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not 
permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized 
disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is 
strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.