1

Situation is following:

I have identified sql injection attack vector, and have following information about target table:

  • It has six columns. (Identified using "order by").
  • I can see output of 3 of them (table is displayed). two seems kind of enum value (integer in database?), and one is a date. I have very strong suspicion that col #6 is date column.
  • I'm almost sure the database is oracle. (ROWNUM works and LIMIT gives error).
  • I don't have error messages (always generic text is returned - "something went wrong").
  • Frontend is PHP if that matters. But there might be middle layer between it and database (e.g. java service), so I'm not sure where the query is being constructed.

E.g. following search query works as expected:

test' AND ROWNUM <= 5 ORDER BY 6--

BUT I'm unable to make UNION ALL SELECT work:

test' UNION ALL SELECT null,null,null,null,null,null--

Above line gives error.

I've tried things like:

test' UNION ALL SELECT '2015.01.01', '2015.01.01', '2015.01.01', '2015.01.01', '2015.01.01', '2015.01.01'--

so that the values could match both datetime and string fields but - no success :(

I'm no expert in SQL injection, and especially ORACLE (though have experience with MsSql).

Is there ANY way to identify column types so that UNION ALL SELECT injection could work?

If no, then is there any alternatives to above technique that allow retreival of arbitrary query result I can execute on target? Retrieving @@version or similar would be a mission-accomplished in my case.

user74898
  • 11
  • 2
  • Assuming you're right it's Oracle, that doesn't support `SELECT value(s)` without any table(s). You must `SELECT value(s) FROM dual`, where DUAL is a table provided by the system in every database that always has one row and one column DUMMY with the value 'X' and you typically ignore that column and its value. – dave_thompson_085 May 06 '15 at 04:10
  • [Same question on StackOverflow](http://stackoverflow.com/q/30056598/53114) – Gumbo May 06 '15 at 05:07

0 Answers0