Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: PL/SQL where clause quandary

Re: PL/SQL where clause quandary

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Tue, 2 Sep 2003 20:16:45 +0100
Message-ID: <zJHwIBBdyOV$EwKg@peterfinnigan.demon.co.uk>


Hi Steven

I understand your quandary but I also agree with the other poster you should really get the third party app company to fix the bug rather than try and work around it. Hacking it is not the way.

BUT if you have no other choice than to hack then you could try SQL injection. If you can only edit the table name (and add as much text as you like) but not the where clause then you can pass the where clause with the table name and add a comment at the end to block out the original where clause. The issue you will have is if the two numbers given are generated by the app then how do you generate them outside the third party app and add to your new where clause. An example would be:

before :- table name passed in is "points" and it generates

select a,b from points where a = 2 and a = 10;

after :- table name passed in is "points where a is between 2 and 10;--"

select a,b from points where a is between 2 and 10;-- where a=2 and a=10;

Of course without knowing more I am not sure this would work for you.

take a look at my website http://www.petefinnigan.com/orasec.htm, there are links to three papers I have written recently about SQL injection on Oracle that may interest you.

hth

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Received on Tue Sep 02 2003 - 14:16:45 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US