Oracle DB SQLi help
54 views
Skip to first unread message
Mohit Chawla
Nov 5, 2013, 4:11:05 AM11/5/13
to null-co-in
Hello nulls,
I have been trying to look for any resourceful links or tips or ways to exploit this Oracle db error, but not really going anywhere.ORA-01858: a non-numeric character was found where a numeric was expected ORA-06512: at "TPH.SP_UPDATE_VENDOR_INFORMATION", line 34 ORA-06512: at line 1
http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
Regards,
Mohit
Hemal Shah
Nov 5, 2013, 5:19:52 AM11/5/13
to null-...@googlegroups.com
This is nothing you can do.. You need to consult / ask the Oracle Technical person and ask him to do below:
Fix the input ( code ) data or the date format model to make sure the elements match in number and type
Fix the input ( code ) data or the date format model to make sure the elements match in number and type
Regards
Hemal Shah
--
_______________________________________________________________________________
EMC Defenders League CTF - Play and Win - http://www.emcdefendersleague2013.com
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
karniv0re
Nov 6, 2013, 4:17:37 PM11/6/13
to null-...@googlegroups.com
Hi Mohit,
From the ORA error it looks like the web app takes input from the user and sends it to a stored procedure that has some data type validation OR has strict data type defined for the column value. You will have to use only numbers here and only a limited set of numbers since the data type for the column looks like its a date field.
All in all, an extremely difficult entry point for SQL injection.
Regards,
karniv0re
Mohit Chawla
Nov 7, 2013, 1:39:19 AM11/7/13
to null-co-in
Thank you Riyaz. That is really insightful.
More on the issue. I could get some more errors with following different inputs trying to figure out the logic being used behind the page.31/aa/2013 - ORA-01858: a non-numeric character was found where a numeric was expected ORA-06512: at "TPH.SP_UPDATE_VENDOR_INFORMATION", line 34 ORA-06512: at line 1
31/12/2013 - Normal expected Response - Your details have been saved successfully.
31\12\2013 - Normal expected Response - Your details have been saved successfully.
31-12-2013 - Normal expected Response - Your details have been saved successfully.
31'12'2013 - Normal expected Response - Your details have been saved successfully.
31$12$2013 - Normal expected Response - Your details have been saved successfully.
31122013 - Normal expected Response - Your details have been saved successfully.
311220131 - ORA-01861: literal does not match format string ORA-06512: at "TPH.SP_UPDATE_VENDOR_INFORMATION", line 34 ORA-06512: at line 1
31'12'2013 - Normal expected Response - Your details have been saved successfully.
31$12$2013 - Normal expected Response - Your details have been saved successfully.
31122013 - Normal expected Response - Your details have been saved successfully.
311220131 - ORA-01861: literal does not match format string ORA-06512: at "TPH.SP_UPDATE_VENDOR_INFORMATION", line 34 ORA-06512: at line 1
With this, any special char substitution is not helping in generating error but number replacement and length of string.
Regards,
Mohit--
Mohit Chawla
Nov 7, 2013, 1:51:28 AM11/7/13
to null-co-in, Riyaz Walikar
I guess I need to drop it here and move on. :)
There seems very tiny window to exploit.
There seems very tiny window to exploit.
Strangely, from so many input fields, only this param is vulnerable and responsible to generate any db errors.
Regards,
MohitReply all
Reply to author
Forward
0 new messages