Re: SQL Injection

From: Chris Humphries (chumphries@devis.com)
Date: Tue Jun 11 2002 - 16:32:14 EDT


try url encoding the entire string. also note that ; is a
"reserved" part of urls syntax, like ? and &.

also if it is java, it maybe using odbc driver to connect to
oracle, and that may not allow for that anywho.

just some ideas...

=On Tue, Jun 11, 2002 at 04:30:48AM -0400,
=recieved 2.7K bytes from Qyves containing this:
> Hello all,
>
> Last time this was denied on pen-test due to cross-posting issues.
>
> I am currently pen-testing a web app and I am stuck in trying to execute two queries sequentially in Oracle.
>
> To my knowledge I can do this in SQL by separating the two queries with ; however this is no happening in my case in two circumstances...
>
> Here goes the history:
>
> Case1:
>
> I have a discovered an injectable sql query that is fed its data from a web form, the end query build by a cgi-script being
>
> something along those lines:
>
> (insert into tab_nam values ('a','b','c','d','e')); - a-e values from the web form- with me being able to inject through
>
> concatenation and subqueries between any of those fields a SELECT query.
>
> e.g.
> e='||select password from users where username='adm'||'
> query=(insert into tab_nam values ('a','b','c','d',''||select password from users where username='adm'||''));
>
> I tried an INSERT to no avail, fair enough since I don't thing that INSERTs are allowed in nested queries... (or are they??)
>
> The last characters added by the cgi script are the ));
>
> e.g.
> e=aa')); (insert into powerusers values ('test', 'pwd
> ^^-- This gets around the NULL value insertion problem
> query=(insert into tab_nam values ('a','b','c','d','aa')); (insert into powerusers values ('test', 'pwd'));
>
> Those two queries should be executed sequentially but Oracle conplains with an Invalid character error
>
> Case 2:
>
> I have also found a second query I can insert to and parts of it are actually shown raw in the URL as an input to a servlet
>
> script e.g. /stupid.cgi?A=123%20AND%20%ID=101
>
> This query appers to be something in the form of:
> SELECT foo from bar where [URL] ;
>
> I can inject an OR 1=1 in the above Url and get all the rows... However when I try the sequential queries again I fail
>
> miserably url=/stupid.cgi?A=123%20AND%20%ID=101%20OR%201=1
>
> original url=/stupidservlet?A=123%20AND%20%ID=101
> modified url=/stupidservlet?A=123%20AND%20%ID=101; insert into powerusers values ('test', 'pwd)
>
> I have full control over the url however I get just a "Server Error" back.
>
> Any clues on how to make any of these methods work anyone??
>
> Thanks in advance.
>
> Qyves
>
>
>
>
>
> __________________________________________________________________
> Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/
>
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT