Oracle SQL Injection help…

Viewing 1 reply thread
  • Author
    • #381


      This is my first post at this community, wait I can help other too.

      I’m pen-testing a host where have applications running
      in JSP and Oracle as a back-end, I found 2 SQL Injections in this application, but I’m not been able to exploit it… if some Oracle SQL Injection master can help me 🙁

      The two scripts is like that:

      One is a login form.

      Two is a search form, where one of the options (the
      city field) is vulnerable, so I belive it’s a injection in a WHERE clause.

      My objetive is use the Oracle database to execute commands in the Server (I don’t care about data in the database).

      If I try in the one (login form) the following strings

      ;select username from all_users where ”x”=”x’

      or exists (select 1 from sys.dual) and ”x”=”x’

      union select username from all_users where ”x”=”x’

      or ”x”=”x” –‘

      I get: ORA-01756: quoted string not properly terminated

      If I try in the one (login form) the following strings (Reference

      UNION select password from DBA_USERS where ‘q’ = ‘q’

      I got: ORA-00907: missing right parenthesis

      What already appear better, since know appear it have a  “parenthesis” unterminated.

      If I try in the one (login form) the following strings (Reference

      (SELECT username FROM all_users WHERE 1=1)

      I got a html access denied message (like when i type a
      wring user or pass), appear that subselects doesn’t

      ‘) UNION SELECT username FROM all_users WHERE (”=’

      I got: ORA-00904: invalid column name

      However all_users is a valid table and username is a vaile colomn. 🙁

      1 – Why this happen? Someone know ? How can I fix it ?

      I gained access to the host by other attack, and compromissed the database, and just for curious, I checked it, and it really exist:


      I also find a intersting reference  (
      where the guy show possibility of execute overflow via SQL Injections, with a string like that for example:


      2 – If I try it, I got a ORA-00907: missing right parenthesis, someone know how could I use it in my example ?

      3 – Even if it worked, he redirect the output to c:dir.txt, can’t it be sent to stdout (web page return from query) ?

      4 – Someone know a tool, that for example, I find a SQL Injection, and pass it to the tool, and it make several trys, to detect the right way to make the querys ? 🙂

      ps: Out of topic, someone already had success (or know how to) compile programs that use raw sockets/libpcap/libnet with cygwin (Like compile
      dsniff, ettercap,…) ?

      ps2: Or do you know a good password in command line for windows (that can be totally installed via command line) and make arp poison and filter passwords hash like ntlm, oracle, sql server, etc?

      Thank you a lot.


    • #9299

      That’s a lot of different things you’re trying to do.

      Start with the most basic:

      You said that you want to exploit a login form. The query contructed by a login form usually is something like:

      select * from users where username =’ Content of Textbox1′
      and password = ‘Content of Textbox2’

      You mentioned that you tried to enter

      or ”x”=”x” –‘

      and get the error ORA-01756: quoted string not properly terminated. With your input the query will be:

      select * from users where username =’ or ”x”=”x” –”
                                                        2 single quotes ^^
      and password = ‘Content of Textbox2’

      If you modify your input slightly

          ‘ or 1=1 —

      that will give you

      select * from users where username =” or 1=1 –‘
                                    2 single quotes ^^
      and password = ‘Content of Textbox2’

      Now everything after the second ‘1’ should be ignored and your query should work.

      Hint: Try to figure out the query constructed by the form you want to exploit, write it down and look at it after modifying by your input…

Viewing 1 reply thread
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?