Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> oracle sql injection pen test help
        
(Message started by: Pete Finnigan on Nov 29th, 2005, 9:45pm)
Title: oracle sql injection pen test help
Post by Pete Finnigan on Nov 29th, 2005, 9:45pm
hey guys iam making a pen test on oracle server and i need little help,i try to inject a sql injections commands example:union select password from dba_users--

and then i get the error message:


ORA-01789: query block has incorrect number of result columns

so i put the right columns:

union select password,1,1,1,1,1,1,1,1,1 from dba_users--

and then i get the message:

ORA-01790: expression must have same datatype as corresponding expression


so i try to replace 1 to NULL example: union select NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL

but still not working!!!,its gave me the same error,maybe in oracle its not like ms sql you cant put NULL if you want that all the datatype will match,so my question is:
what i need to do if i want to figure out the datatype of the columns???

beacuse This shows that the not only the number of columns needs to be the same
but also the data types have to be the same.

i cant brute force a 12 columns,its will take month and maybe years.
i need to figure out the datatype of each columns,and i dont know how :(

there is any trick??
or tips?????

please help

thanks alot

limor.
limor188@walla.co.il
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Nov 30th, 2005, 4:31am
SELECT SYSDATE,1,'a' FROM dual
UNION
SELECT NULL,NULL,NULL FROM dual

works fine, so that suggests it is the first column that is the problem (ie the one you are trying to get the password from)
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Nov 30th, 2005, 6:25am
hey thanks for your answer but,i try to replace 1 to Null example:union select password,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from dba_users--
and still get the same error:ORA-01790: expression must have same datatype as corresponding expression .

anyway i cant check each 12 columns datatypes its will take a months,maybe a years.

you give me example with 3 columns,but i have 12 columns :(,so my question  if there is some way to know each column datatype??? or another trick to "bypass" the errror message that say:expression must have same datatype as corresponding expression .

please help

thanks alot

limor
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Nov 30th, 2005, 6:33am
anyway you mean i get the same error because the column password example:
union select password,NULL from dba_users??


you mean that Null should working on oracle???

because i know that in MS SQL NULL Working like a baby to match all the datatype,so in oracle its working to?
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Nov 30th, 2005, 7:59am
anyway i try to put a NULL on all the columns example:%20union%20select%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%dual--

and still get the error:
java.sql.SQLException: ORA-01790: expression must have same datatype as corresponding expression

:( any ideas?
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Nov 30th, 2005, 6:19pm
hey guys,i found another injection with only 2 columns:union select password,1 from dba_users--

and i was able to collect the admin hash,anyway i try to put another tablename not table (dba_users)

example:union select username,1 from users--

and i get the error message:
java.lang.StringIndexOutOfBoundsException: String index out of range: -2

and i try to collect table names from user_tables,example:

union select table_name,1 from user_tables--

and i get the error:java.lang.StringIndexOutOfBoundsException: String index out of range: -5


why i get this errors???,any tricks to bypass this error??,any ideas??

please help me

thanks again

limor
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Dec 1st, 2005, 11:18pm
SELECT SYSDATE,1,'a' FROM dual
UNION
SELECT NULL,NULL,NULL FROM dual

Works in 9iR2 and 10GR2 but in 8i gives the error :
ORA-01790: expression must have same datatype as corresponding expression.

The fact that you've found an SQL Injection route and that there is access to DBA_USERS is 'enough' for a penetration test. Anything else is almost certainly plain and simple (and illegal) hacking.

It looks like you are trying to hack an 8i database.
Title: Re: oracle sql injection pen test help
Post by Pete Finnigan on Dec 2nd, 2005, 6:48pm
hey gamyers,first of all thanks again and second,iam doing a pen test on a client so i want to show him more features not only dba_users hash,anyway i was able to find another injection on the website that return me all the data,example:union select table_name from user_tables,now its working.

second i want to know if you have any ideas,if some site filter the word:union select,do you have any ideas of signature evasion??? i know the comment trick to bypass but do you have more ideas to bypass signature evasion???

comments trick: /**/UNION/**/SELECT/**/table_name from user_tables--

another question:i was try to get data from the database using cast,example:

ID=(select cast(username AS int)from all_users)--

but its give me the error:ORA-01722: invalid number ,then i was try to replace the int datatype with integer,and its still give me the same error??

why???,please answer to my questions,thanks alot
limor


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board