Penetration Testing mailing list archives
Re: Oracle Application Server 10g question
From: Joxean Koret <joxeankoret () yahoo es>
Date: Wed, 14 Mar 2007 22:26:03 +0100
Hi Lee, On miƩ, 2007-03-14 at 10:08 +0000, Lee Lawson wrote:
Consider the following URL: http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL This is the home page. If I replace the _pageid= value with a single quote, I am presented with the following error on the web page. Error: ORA-06502: PL/SQL: numeric or value error: character to number conversion error
That's not SQL injection. If you receive messages like these while pen-testing an Oracle Application Server's app ignore. You should check for messages like ORA-00933, ORA-01756 or ORA-00923 (Unclosed quotation mark, etc...). Ah! An check for any message starting with "PLS-". That kind of messages are generated by badly composed sql commands. In Example, the following bad SQL command: BEGIN OWNER.PACKAGE([INJECTED & MORE INJECTED DATA] ); END; Will generate a PLS-00103 error message. You should also check for ORA-00604 messages ( Error ocurred at SQL recursive ), ORA-00942 (table or view does not exists) and ORA-03113 (End of file on communication channels) or ORA-00600 (internal error), but the 2 last are very-very strange to find. Hope that helps. Regards, Joxean Koret
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Oracle Application Server 10g question Lee Lawson (Mar 14)
- Re: Oracle Application Server 10g question Joxean Koret (Mar 18)
- Re: Oracle Application Server 10g question Marco Ivaldi (Mar 18)
- <Possible follow-ups>
- Oracle Application Server 10g question Zed Qyves (Mar 18)