Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Oracle URL SQL Injection issue
From: Joxean Koret <joxeankoret () yahoo es>
Date: Tue, 22 Jan 2008 22:22:35 +0100

Hi,

On lun, 2008-01-21 at 20:31 +0000, Clone wrote:

Well I already tried 

Id=90; select * from usr
I got following

OCIStmtExecute: ORA-00911: invalid character in
dbs.inc on line 44

OCIStmtExecute refuses to execute more than one command except when the
programmer uses a construction like:

begin
  proc('user_controlled_data');
end;


BTW how serious is the issue? Can an attacker delete
or modify database using the current issue? 

It depends in the privileges the user have and in which applications are
installed. First of all, you need to know the database version (banner
-varchar2- from v$version), what other users are (all_users) and, of
course, your roles (user_role_privs views) and granted system privileges
(user_privs).

Regards,
Joxean Koret

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]