Re: Oracle SQL Injection

[Tim <tim-security () sentinelchicken org>]

Mark,

> It appears that Oracle does not like this type of syntax where we are
> appending an UPDATE onto an existing SELECT statement.  Could someone please
> point me in the right direction on how to execute these type of commands.  
>  
> I should also say that the application appears to be replacing a semicolon
> with a coma.


Have you tried using sub queries?

Also, check out these (if you haven't already seen them):
  http://www.securityfocus.com/infocus/1644
  http://www.securityfocus.com/infocus/1646

good luck,
tim

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------