From: Zed Qyves (zqyves.spamtrap@gmail.com)
Date: Thu Mar 15 2007 - 02:54:53 EST
Hello Lee,
I have found Oracle pretty opinionated when it comes to what to inject
in an SQL Injection attack. In your case and regarding SQL Injection I
would think that the only option you really have is to UNION SELECT on
the _pageid, that is bruteforce the number of fields and the
respective field types. I can't tell you in advance where this will
lead you since a great deal has to do with what is done with the
_pageid after it reaches the backend, and I must say it does not look
promising.
Regarding your URL:
http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL
The _pageid already contains a comma (,) that is a character that
would cause a numeric cast error in the first place if it where used
as is. My guess is that at some point the pageid is tokenised by comma
(,) and the both two numbers play a part - however this increases
your attack vectors by 100% :) make sure you attack both sides of the
comma.
Another interesting note:
* _dad variable. This *sort of* tells you that DAD, or Database Access
Descriptor,may be used, furthermore it is same as the first part of
the URL after the host name (although the tell tale /pls/ is missing).
"Database Hacker's Handbook" courtesy of D. Litchfield et al
(apologies from the al) contains a section on how to attack such an
architecture. Consider using the following URL
http://target.com/portal/"SYS".OWA_UTIL.CELLSPRINT?P_THEQUERY=select+1+from+dual.
If you get 1 back then you are mostly set.
ZQ
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:40 EDT