Oracle Ultra Search - SQL Injection

[The Dead <th3d34d () gmail com>]

Hello guys!

I´m doing a pen-test and I found some apps that use Oracle Ultra
Search techonology that seems not to filter user input properly.
I got this error when I input for example:

Input: '{--

ORA-29902: error in executing ODCIIndexStart() routine ORA-20000:
Oracle Text error: DRG-50900: text query parser error on line 1,
column 6 DRG-50917: escape on at end of text query string DRG-50900:
text query parser error on line 1, column 6 DRG-50917: escape on at
end of text query string

When I input a big text I got:

ORA-06502: PL/SQL: numeric or value error: character string buffer too small.

Have some clue? I´m just studying now Oracle Ultra Search to undestand
how it works but if you have something to share I´ll appreciate.

Thanks,

DEAD

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------