SqlInjection
Results 1 to 3 of 3

Thread: SqlInjection

  1. #1
    Junior Member
    Join Date
    Dec 2006
    Posts
    22

    SqlInjection

    hey
    someone is aware of SqlInjection attack on Oracle database ver 10g R2 with unprivilege user (or a minimal privilege) ?
    thanks !

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I regularly check David Litchfields blog (nice review[1]), but there was
    nothing like that (I may be wrong of course) since the
    DBMS_EXPORT_EXTENSION Injection (package with public execute access;
    simply prevented with REVOKE EXECUTE ON SYS.DBMS_EXPORT_EXTENSION FROM PUBLIC FORCE[2-4]

    Although there was a myriad of bugs and security flaws with oracle,
    I can't remember another sql injection as dramatic as the above
    mentioned.


    Cheers

    [1] http://www.davidlitchfield.com/blog/...s/00000001.htm
    [2] http://www.securityfocus.com/archive/1/431353 (Jose
    Antonio Coret)
    [3] http://lists.grok.org.uk/pipermail/f...il/045540.html (david litchfield)
    [4] http://www.securiteam.com/exploits/5FP011FKKK.html and others.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Definitely check out Peter Finnigan...

    http://www.petefinnigan.com/
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •