Penetration Testing mailing list archives
Oracle Application Server 10g question
From: "Zed Qyves" <zqyves.spamtrap () gmail com>
Date: Thu, 15 Mar 2007 09:54:53 +0200
Hello Lee, I have found Oracle pretty opinionated when it comes to what to inject in an SQL Injection attack. In your case and regarding SQL Injection I would think that the only option you really have is to UNION SELECT on the _pageid, that is bruteforce the number of fields and the respective field types. I can't tell you in advance where this will lead you since a great deal has to do with what is done with the _pageid after it reaches the backend, and I must say it does not look promising. Regarding your URL: http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL The _pageid already contains a comma (,) that is a character that would cause a numeric cast error in the first place if it where used as is. My guess is that at some point the pageid is tokenised by comma (,) and the both two numbers play a part - however this increases your attack vectors by 100% :) make sure you attack both sides of the comma. Another interesting note: * _dad variable. This *sort of* tells you that DAD, or Database Access Descriptor,may be used, furthermore it is same as the first part of the URL after the host name (although the tell tale /pls/ is missing). "Database Hacker's Handbook" courtesy of D. Litchfield et al (apologies from the al) contains a section on how to attack such an architecture. Consider using the following URL http://target.com/portal/"SYS".OWA_UTIL.CELLSPRINT?P_THEQUERY=select+1+from+dual. If you get 1 back then you are mostly set. ZQ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Oracle Application Server 10g question Lee Lawson (Mar 14)
- Re: Oracle Application Server 10g question Joxean Koret (Mar 18)
- Re: Oracle Application Server 10g question Marco Ivaldi (Mar 18)
- <Possible follow-ups>
- Oracle Application Server 10g question Zed Qyves (Mar 18)