SQL INJECTION - ORACLE

From: foo bar (badb0tat_private)
Date: Mon Dec 10 2001 - 08:06:05 PST

Next message: Kevin Spett: "Re: SQL INJECTION - ORACLE"

Previous message: Adrien de Beaupre: "Re: Writing to Windows Security Log"
Next in thread: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Reply: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Reply: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello
I am performing a vulnerability test against a web application and would 
like some advice.  The application is running IIS 4.0 - all the remote 
exploits are patched.  The backend is just a bunch of VB scripts, getting 
info from an oracle8 server on AIX.

Most of the places where input is accepted must strip out unexpected 
characters, but I located one field on a form where input was not properly 
validated.  I've tried posting different strings into the field with limited 
success.  All I'm able to get is errors back.  I'd like to take advantage of 
some stored procedures in oracle.  Could you look at the log of my activity 
below and provide advice on where to go next in order to compromise the 
database, or the server itself?  I'd even be happy with the ability to run a 
successful query through injection.  It looks like their using a package or 
stored procedure to post the query, and I'm having trouble breaking out of 
it.  Is it possible, if so, how should I go about it?

Input: '
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-00907: missing right 
parenthesis

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

Input: ')
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-00923: FROM keyword not found 
where expected

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

Input: ') from
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-00903: invalid table name

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

Input: ') from policy
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not 
properly ended

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

Input: ') from policy -- "'"
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-06553: PLS-306: wrong number 
or types of arguments in call to 'GETPOLICYNUMBER'

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

Input: ') from getpolicynumber -- "'"
Result:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC driver for Oracle][Oracle]ORA-04044: procedure, function, 
package, or type is not allowed here

E:\INETPUB\WEBSITE\CLAIM ENTRY\../systemmonitor/AdoRecordCount.asp, line 128

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Previous message: Adrien de Beaupre: "Re: Writing to Windows Security Log"
Next in thread: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Reply: Michael Haunzwickl: "Re: SQL INJECTION - ORACLE"
Reply: Kevin Spett: "Re: SQL INJECTION - ORACLE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 13:57:00 PST