1

While pentesting a website (yes, legally), an sql injection popped up, but I can't see how to use it currently. The query string looks like this, and the insertion point is at the first _ after values:

query = 'SELECT  item.a 
           FROM favitem item 
          WHERE ( item.a =?) AND (item.b=? )', values = [123456789_, 987654321]

a simple

, 1] UNION SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; --

doesn't return any values, but states it was successfull. It is always successful when it includes '%', even on random strings, that are unlikely to match at all. It returns an error when the it states LIKE 'Oracle' (without %). Any suggestions why this is always successful with %?

Improve this question
5
  • 1
    Which programming language is that? How are the placeholders (?) used in the DB acces code? Is that a prepared statement in the background or is the code actually doing string replacement. Commented Aug 5, 2013 at 8:30
  • I would have supposed that this is regular sql from oracle and that the placeholders are replaced with the values provided afterwards. Commented Aug 5, 2013 at 8:36
  • That is not "regular SQL". It is part of some kind of programming language (the query = ... defines a variable in whatever language you are using - it is a not valid SQL statement). Parameter markers like ? are usually used in "prepared statements" which are not subject to SQL injection. Commented Aug 5, 2013 at 8:41
  • My bad, I'm sorry. The language should be java. Commented Aug 5, 2013 at 11:57
  • 3
    Then it is almost certainly a PreparedStatement and thus not subject to SQL injection - at least not the way you showed us - although the actualy code that is executing the statement is missing, and that is the important part. Although String literals use double quotes " in Java, not single quotes ' and the comma notation for the values part also seems a bit strange. Are you using any framework? e.g. Spring JDBC Template? Commented Aug 5, 2013 at 12:01

1 Answer 1

Reset to default
2

To find an injection is one thing but to ask community to write you an exploit for it - is another.

So, if you have found it - just report. That's what pentests are for.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

On thing is that it is always better to give clients some data alongside with a sqli, but that's not what I asked for, but I'm looking for an explanation why the % is neccessary and why it does seem to react positively even if there is no such entry.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.