[sqlmap-users] sqlmap and oracle (just a thought)
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] sqlmap and oracle (just a thought)
|
From: <d...@ds...> - 2010-04-18 17:12:43
|
First, Sorry for my bad English I'm from Romania I use sqlmap to test web app+oracle db. Maybe will be done to use for oracle blind injetion technique like this http://example.com/app.jsp?id=21 and(1)=(select upper(XMLType(chr(60)||chr(58)||chr(58)||(select replace(banner,chr(32),chr(58)) from sys.v_$version where rownum=1)||chr(62))) from dual)-- it work only if print error is on, but technique will be useful i think. if need i cant post a real link with example. I write a small tool in python to use this technique but use a lot of utilities are not comfortable really want to see this technique in sqlmap :) if you need some form of assistance with this task would be happy to assist you two, Implement support of Oracle Application server to sqlmap :) Sqlmap dont know how to work with it, but exist more than one technique to exploit sql injection for Oracle Application Server if you're busy with other matters I would take to embed this technique in sqlmap with your help :) ____________________________________________________________________________________________________________________________________________________ Vitaly Turenko aka DSU (d[at]dsu.com.ua) My Oracle security blog http://dsu.com.ua/ |
