WebApp Sec mailing list archives
RE: about oracle sql injection
From: "LAROUCHE Francois" <Francois.Larouche () accorservices com>
Date: Thu, 1 Dec 2005 16:22:40 +0100
Hi,
IMHO, the best you can do is to first use a 'group by' injection to determine the *name* of the parameters in the select query
Well I don't want to be a pain but GROUP BY 0 or by any number won't work neither on SQL Server nor Oracle. (unless you know a way I don't. If you do please enlighten me :) ) Good trick is using HAVING 1=1 but it will work only on SQL Server, on Oracle it will respond like if HAVING 1=1 has never been there.
Maybe NULLs will pass?
And yes null will work pretty fine, actually the trick is to try null until it won't raise an error stating that there is a incorrect number of results. Don't forget to add FROM DUAL in your union query. If not you will never get any result back on the web page in case you want to use only the some Oracle variable such as "user". Once you have found the right number of columns, you start to remove the first null and replace it with a 1 and see what is the error message, if there is one try with '1'. Now it should work. If it's ok, you move to the next one (if you have to, usually you need only one that will display what you need on the web page) Good luck! François Larouche ______________________________________________________________________________________________________________________________ This email, the information contained within and any files transmitted with it (herein after referred as "the message") are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted. If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure, publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly prohibited. Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this message if modified or falsified.
Current thread:
- about oracle sql injection limor188 (Nov 29)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 01)
- Re: about oracle sql injection Richard Moore (Dec 01)
- <Possible follow-ups>
- RE: about oracle sql injection LAROUCHE Francois (Dec 01)
- Re: about oracle sql injection Javier Fernandez-Sanguino (Dec 02)
- Re: Re: about oracle sql injection limor188 (Dec 05)
- RE: Re: about oracle sql injection LAROUCHE Francois (Dec 06)
- RE: RE: Re: about oracle sql injection LAROUCHE Francois (Dec 07)
- Re: RE: Re: about oracle sql injection limor188 (Dec 07)
- Re: about oracle sql injection Mariusz Pękala (Nov 30)