Penetration Testing mailing list archives
Oracle Ultra Search - SQL Injection
From: The Dead <th3d34d () gmail com>
Date: Mon, 13 Dec 2010 16:28:41 -0200
Hello guys! I´m doing a pen-test and I found some apps that use Oracle Ultra Search techonology that seems not to filter user input properly. I got this error when I input for example: Input: '{-- ORA-29902: error in executing ODCIIndexStart() routine ORA-20000: Oracle Text error: DRG-50900: text query parser error on line 1, column 6 DRG-50917: escape on at end of text query string DRG-50900: text query parser error on line 1, column 6 DRG-50917: escape on at end of text query string When I input a big text I got: ORA-06502: PL/SQL: numeric or value error: character string buffer too small. Have some clue? I´m just studying now Oracle Ultra Search to undestand how it works but if you have something to share I´ll appreciate. Thanks, DEAD ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Oracle Ultra Search - SQL Injection The Dead (Dec 17)