Oracle Application Server 10g question

Hello Lee,

I have found Oracle pretty opinionated when it comes to what to inject
in an SQL Injection attack. In your case and regarding SQL Injection I
would think that the only option you really have is to UNION SELECT on
the _pageid, that is bruteforce the number of fields and the
respective field types. I can't tell you in advance where this will
lead you since a great deal has to do with what is done with the
_pageid after it reaches the backend, and I must say it does not look
promising.

Regarding your URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL

The _pageid already contains a comma (,) that is a character that
would cause a numeric cast error in the first place if it where used
as is. My guess is that at some point the pageid is tokenised by comma
(,) and the both two numbers play a part - however this increases
your attack vectors by 100% :) make sure you attack both sides of the
comma.

Another interesting note:
* _dad variable. This *sort of* tells you that DAD, or Database Access
Descriptor,may be used, furthermore it is same as the first part of
the URL after the host name (although the tell tale /pls/ is missing).
"Database Hacker's Handbook" courtesy of D. Litchfield et al
(apologies from the al) contains a section on how to attack such an
architecture. Consider using the following URL
http://target.com/portal/"SYS".OWA_UTIL.CELLSPRINT?P_THEQUERY=select+1+from+dual.
If you get 1 back then you are mostly set.

ZQ

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Relevant Pages

  • Re: SQL Injection and DB user permissions
    ... patch the ASP codes, completely... ... After an attack, site slows down -at the client site, of course- due to ... remote javascript file. ... In between each successful SQL injection attack, ...
    (microsoft.public.inetserver.asp.db)
  • Writing a phpshell via SQL Injection to a host
    ... I've really been hitting SQL Injection pretty hard lately. ... comfy with SQL Injection on MSSQL server now, ... with with it on MySQL. ... The best reference on this type of attack that I've found so far is: ...
    (Pen-Test)
  • Re: sql injection: url or form based?
    ... URL based and Forms based SQL injection but I'm wondering what are the ... and if the script is expecting something sent as a POST request, ... you'd want a 'form' based attack. ... This is a bit misleading, calling it a form-based attack, as HTML ...
    (Pen-Test)
  • Re: [OT] IIS security
    ... administration page and performed a SQL injection attack, ... >> That's got no effect on IIS security. ... That's like saying that since one car was stolen becase the doors were ...
    (microsoft.public.windows.server.sbs)
  • Re: What a Mental Meltdown looks like
    ... Hung Well (no comma) wrote: ... Do you get flashbacks to the attack? ...
    (misc.writing)