Getting Past the Comma(,) in Oracle SQL Injection
Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.
Thus Valid input will look like:- index.do?id=1,200
And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-
True response:- index.do?id=1,200 and 1=1
False Response:- index.do?id=1,200 and 1=2
This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling and that worked too:-
However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;
But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.
A solution to this is to use the query like:-
(select+column_name+from+all_tab_columns where+rownum<4 ))||
By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.
A good resource for pentesting oracle Application server can be found here:-
Oracle Application Scanner(OAPscan) is also a very handy tool.