Hi Lee,
On mié, 2007-03-14 at 10:08 +0000, Lee Lawson wrote:
>
> Consider the following URL:
> http://target.com/portal/page?_pageid=270,34&_dad=portal&_schema=PROTOCOL
>
> This is the home page. If I replace the _pageid= value with a single
> quote, I am presented with the following error on the web page.
> Error: ORA-06502: PL/SQL: numeric or value error: character to number
> conversion error
That's not SQL injection. If you receive messages like these while
pen-testing an Oracle Application Server's app ignore. You should check
for messages like ORA-00933, ORA-01756 or ORA-00923 (Unclosed quotation
mark, etc...).
Ah! An check for any message starting with "PLS-". That kind of messages
are generated by badly composed sql commands. In Example, the following
bad SQL command:
BEGIN
OWNER.PACKAGE([INJECTED &
MORE INJECTED DATA]
);
END;
Will generate a PLS-00103 error message. You should also check for
ORA-00604 messages ( Error ocurred at SQL recursive ), ORA-00942 (table
or view does not exists) and ORA-03113 (End of file on communication
channels) or ORA-00600 (internal error), but the 2 last are very-very
strange to find.
Hope that helps.
Regards,
Joxean Koret
signature.asc
Description: This is a digitally signed message part
|