Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Aug 22nd, 2019, 6:28am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Pen-Testing Oracle Business Intelligence.
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Pen-Testing Oracle Business Intelligence.  (Read 1527 times)
Pete Finnigan Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male
Posts: 309
Pen-Testing Oracle Business Intelligence.
« on: Dec 22nd, 2008, 4:15pm »
Quote | Modify

Greetings All,
I am performing a web app security assessment on an Oracle Business Intelligence application. The specs of the box is as follows:
IIS 6.0
Win 2003 SP1
Oracle Business Intelligence - Siebel Analytics.
Specifically, it is a Finance Business Intelligence app, straight out-of-the-box. It is being used to present the statistics of a particular organizational function to the end-user (primarily the stake-holders and the management). The app / dev team is quite confident of the security of this app.  
During I disagreeessment, I have found the application to be preventing most of the attack vectors - XSS, Path Traversal, Access Control, Authorization, Session Strength etc.
However, I have been able to find & confirm SQL Injection, Information Leakage & a server configuration file.
The objective of this post is to seek suggestions on exploiting the SQL Injection vuln in the application. The app identifies the USING SELECT, ; , - -, UTL_http.request etc. statements & throws the error without any interesting data.
Although I have exploited the app to get the details of certain col_names & the base table_name, I am aiming at exploiting the app further via SQL Injection. For eg. elevated privs, modifying data,  
system-level access, planting backdoors .i.e. strong results.
I would appreciate if you can share your experiences & inputs on this.
Best Regards,
IP Logged

Pete Finnigan (
Oracle Security Web site:
Oracle security blog:
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board