|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robin Wood (dninja
gmail.com)
Date: Mon Jun 15 2009 - 09:08:41 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2009/6/11 <listerlihim.org>:
> Requesting assistance.
>
> An application uses GET and one of the parameters translates to an ORDER BY
> in an Oracle SQL query.
>
> I can put in 1 through X where X is a column number to order the output up to X columns.
>
> I can also get ORA errors, so I know I have direct access to the SQL query.
>
> I'm looking for references on possible queries for a query with an injectable
> ORDER BY clause. I'm not sure if it is possible to break out of the ORDER BY
> to query other data.
>
Is Oracle like MS SQL where you can add a ; then a second statement?
The second can then be anything you want.
Robin
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]