Re: Oracle Application Server 10g question

[Joxean Koret <joxeankoret () yahoo es>]

Hi Lee,

On mié, 2007-03-14 at 10:08 +0000, Lee Lawson wrote:
> Consider the following URL:
> http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL
>
> This is the home page.  If I replace the _pageid= value with a single
> quote, I am presented with the following error on the web page.
> Error: ORA-06502: PL/SQL: numeric or value error: character to number
> conversion error 

That's not SQL injection. If you receive messages like these while
pen-testing an Oracle Application Server's app ignore. You should check
for messages like ORA-00933, ORA-01756 or ORA-00923 (Unclosed quotation
mark, etc...). 

Ah! An check for any message starting with "PLS-". That kind of messages
are generated by badly composed sql commands. In Example, the following
bad SQL command:

BEGIN
  OWNER.PACKAGE([INJECTED &
MORE INJECTED DATA]
);
END;

Will generate a PLS-00103 error message. You should also check for
ORA-00604 messages ( Error ocurred at SQL recursive ), ORA-00942 (table
or view does not exists) and ORA-03113 (End of file on communication
channels) or ORA-00600 (internal error), but the 2 last are very-very
strange to find.

Hope that helps.

Regards,
Joxean Koret

Attachment: signature.asc
Description: This is a digitally signed message part