Blind SQL Injection Guidance

0

So I'm doing an exercise for class and I'm having a bit of trouble understanding this particular database that I'm meant to break into blindly.

The database throws the following error with the string: x'

Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [Microsoft][ODBC driver for Oracle][Oracle]ORA-01756: quoted string not properly terminated

showing that it is vulnerable.

Similarly, the database concatenates fine with a valid input aka valid'||'input returns the correct webpage for the input.

What confuses me is that the database does not throw an error when the input x' -- is entered, but when the input x'; -- is entered the db throws the following error:

Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC driver for Oracle][Oracle]ORA-00911: invalid character

I've also tried URL encoding the input so that it reads x'%3b+-- or x'%3b -- but it returns the same result.

Does anyone have any clue where to step next since it seems that I can't inject a semicolon ; into a query?

Everything's an Edit Below This:

Edit 1: I got to thinking and thought I might be inside of a parenthetical block. I tried the input x'); and it produces the following error:

Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not properly ended

Edit 2: Found out that the statement validinput'order by 52-- produced a result, but validinput'order by 53-- produced an error. I concluded the table has 52 columns.

I'm attempting validinput' union select 1 from table_name now, but it feels largely like a huge guessing game. I don't know what any of the table names could possibly be.

Edit 3: My brain is honestly hurting at this point but I think I'm almost there... The statement validnum'+union+select+null,2,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+dual--

returned a legitimate page

Edit 4: Followed Jeffrey Kemp's suggestion and I got a single table (the output seems to be limited to 1 row). Uh oh. More information though, the version is Oracle 9i, and I know the database name plus user name, and few of the tables through blind luck. The goal of the exercise is to change a value in one of the tables. However, I've run into difficulty getting the column names since the output is limited to 1 row. Any suggestions?

sql
oracle
odbc
sql-injection
asked on Stack Overflow Nov 14, 2017 by Matt W • edited Nov 15, 2017 by Matt W

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0