Home page logo
/

pen-test logo Penetration Testing mailing list archives

Oracle Application Server 10g question
From: "Zed Qyves" <zqyves.spamtrap () gmail com>
Date: Thu, 15 Mar 2007 09:54:53 +0200

Hello Lee,

I have found Oracle pretty opinionated when it comes to what to inject
in an SQL Injection attack. In your case and regarding SQL Injection I
would think that the only option you really have is to UNION SELECT on
the _pageid, that is bruteforce the number of fields and the
respective field types. I can't tell you in advance where this will
lead you since a great deal has to do with what is done with the
_pageid after it reaches the backend, and I must say it does not look
promising.

Regarding your URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

The _pageid already contains a comma (,) that is a character that
would cause a numeric cast   error in the first place if it where used
as is. My guess is that at some point the pageid is tokenised by comma
(,) and the  both two numbers play a part - however this increases
your attack vectors by 100% :) make sure you attack both sides of the
comma.

Another interesting note:
* _dad variable. This *sort of* tells you that DAD, or Database Access
Descriptor,may be used, furthermore it is same as the first part of
the URL after the host name (although the tell tale /pls/ is missing).
"Database Hacker's Handbook" courtesy of D. Litchfield et al
(apologies from the al) contains a section on how to attack such an
architecture. Consider using the following URL
http://target.com/portal/"SYS".OWA_UTIL.CELLSPRINT?P_THEQUERY=select+1+from+dual.
If you get 1 back then you are mostly set.

ZQ

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault