Getting Past the Comma(,) in Oracle SQL Injection

May 24, 2008

Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.

Thus Valid input will look like:-,200

And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-

True response:-,200 and 1=1

False Response:-,200 and 1=2

This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling  and that worked too:-



However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-

SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;

But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.

A solution to this is to use the query like:-




(select+column_name+from+all_tab_columns where+rownum<4 ))||


By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.

A good resource for pentesting oracle Application server can be found here:-

Oracle Application Scanner(OAPscan) is also a very handy tool. 


Leave a Reply

Your email address will not be published. Required fields are marked *