From: Joxean Koret (joxeankoret@yahoo.es)
Date: Tue Jan 22 2008 - 16:22:35 EST
Hi,
On lun, 2008-01-21 at 20:31 +0000, Clone wrote:
>
> Well I already tried
>
> Id=90; select * from usr
> I got following
>
> OCIStmtExecute: ORA-00911: invalid character in
> dbs.inc on line 44
>
OCIStmtExecute refuses to execute more than one command except when the
programmer uses a construction like:
begin
proc('user_controlled_data');
end;
>
> BTW how serious is the issue? Can an attacker delete
> or modify database using the current issue?
It depends in the privileges the user have and in which applications are
installed. First of all, you need to know the database version (banner
-varchar2- from v$version), what other users are (all_users) and, of
course, your roles (user_role_privs views) and granted system privileges
(user_privs).
Regards,
Joxean Koret
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y msviles desde 1 cintimo por minuto.
http://es.voice.yahoo.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT