• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

sqlia problem

 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hello i would like to ask help on sqli...

i have an app, and the username field will convert any given value to the integer value using integer.parseint..
the app use jsp and oracle database..

the url has been tested with sqlmap and it is not dynamic..so the only way i can try is via the login form.. but i could not bypass it..
but when i put ' or 1=1-- ,the server return error "error for input string"..
the app convert that to string.. so how it can be done? i don't know whether i can use the alternate encoding because it will convert that to integer anyway..

please help me..tq!
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am sorry, but I am completely confused. and as you have had no replys I am guessing so is everyone else.
All of the information you have provided seems so fragmented I have no idea what to make of it.

what is your actual problem? are you getting an error message?
 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sorry if my explanation is confusing..it is actually like this..
i have an application..it is at my localhost, and ofcoz i have the source code.. i want to do sqli to that app.. based on the entry points to inject codes, i determined that the login form can be used..

login form has 2 fields.. username and password.. the input given in the username field will be converted to the integer.. so when i put the value " hi' OR 1=1-- " in the field, the server return error says that "error: for input string" because the value cannot be converted to the integer..

i don't have any idea how to do sqli on that kind of login form..

i have tested the input parameter in the url using sqlmap, and looks like it is not injectable..but i still did not try sqli on that in depth./

hope that is not confusing..tq
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ahh now i understand, but don't have any experience but..
it seems to me that by converting to an integer you are stopping the problem all together, the page i found explaining what sqlia was the example are using the password.

as a secondary question: are all usernames going to be numbers?
 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when we use sqlia to the pwd field, what happen to the username? i mean what we will put in the username.. and will it affect the query for example in the login form..

yup you are right.. the input will be converted using Integer.parseInt(var).. that's why i don't know how to attack that.. and as far as i know, there is no sqli which is only use numbers right?

i need to prove that it is vulnerable to sqlia..
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
mohuza zack wrote:when we use sqlia to the pwd field, what happen to the username? i mean what we will put in the username.. and will it affect the query for example in the login form..

yup you are right.. the input will be converted using Integer.parseInt(var).. that's why i don't know how to attack that.. and as far as i know, there is no sqli which is only use numbers right?

i need to prove that it is vulnerable to sqlia..

for the username any valid integer, as you just want to get to the database
 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yeah, it works!thanks Gibbons! just put the tautology in the pwd field..

i have another question.. i have the search form.. can anyone attack this one and hope if you success, please let me know..

i don't know how to do it but it seems that, it only display what i have put in the search field..i give the URL..

http://www.batike-gallery.my/theSearch.php

thnks in advance!
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
as you know as much about sqlia as me, i cna not help, but are the pictures in the gallery of batik or printing, as they are very fine if they are batik.
 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gibbons, i can't understand what are you saying actually.

anybody can help?
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
calling me Gibbons is considered very rude, please put a title in the front so Mrs Gibbons(formal) or call me Wendy (informal).

i was commenting on the website you linked me to, it has a gallery page with lots of pictures in it.
 
mohuza zack
Greenhorn
Posts: 21
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i am sorry Mrs Gibbons, my mistake..i am really2 sorry... i'll take that as a lesson for sure..
yeah its true, a lot of pictures but it is just for preview only.. i want to do sqlia but still not able to do it..
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic