Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Oracle Application Server 10g question
From: Joxean Koret <joxeankoret () yahoo es>
Date: Wed, 14 Mar 2007 22:26:03 +0100

Hi Lee,

On miƩ, 2007-03-14 at 10:08 +0000, Lee Lawson wrote:

Consider the following URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

This is the home page.  If I replace the _pageid= value with a single
quote, I am presented with the following error on the web page.
Error: ORA-06502: PL/SQL: numeric or value error: character to number
conversion error 

That's not SQL injection. If you receive messages like these while
pen-testing an Oracle Application Server's app ignore. You should check
for messages like ORA-00933, ORA-01756 or ORA-00923 (Unclosed quotation
mark, etc...). 

Ah! An check for any message starting with "PLS-". That kind of messages
are generated by badly composed sql commands. In Example, the following
bad SQL command:

BEGIN
  OWNER.PACKAGE([INJECTED &
MORE INJECTED DATA]
);
END;

Will generate a PLS-00103 error message. You should also check for
ORA-00604 messages ( Error ocurred at SQL recursive ), ORA-00942 (table
or view does not exists) and ORA-03113 (End of file on communication
channels) or ORA-00600 (internal error), but the 2 last are very-very
strange to find.

Hope that helps.

Regards,
Joxean Koret

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault