I had gathered an interesting collection of quick methods of blind SQL Injection exploitation, but I was lacking in a similar method for another widespread DBMS – Oracle. It induced me to conduct a small research intended for discovering analogous methods applicable to the specified database.
I found out that all known methods of error-based Blind SQL Injection exploitation don’t work in the Oracle environment. Then, my attention was attracted by the functions of interaction with the XML format. After a short investigation, I found a function XMLType() that returns the first symbol of requested data in the error message (LPX-00XXX):
For more information, please read this blog:
http://ptresearch.blogspot.com/2010/01/methods-of-quick-exploitation-of-blind_25.html
Sunday, February 14, 2010
Subscribe to:
Post Comments (Atom)
Posts
1 comment:
good, i drop by here through keyword "sql injection" via a service call "blogger auto follow" im following u.. hope to see u in my followers list soon and would love to share anything from internet, network and information security stuff.
regards,
Hacking Expose! Team
Post a Comment