Oracle Security is easier if you design for it
View Profile | WWW | Email
Pen-Testing Oracle Business Intelligence.
« on: Dec 22nd, 2008, 4:15pm »
Quote | Modify
I am performing a web app security assessment on an Oracle Business Intelligence application. The specs of the box is as follows:
Win 2003 SP1
Oracle Business Intelligence - Siebel Analytics.
Specifically, it is a Finance Business Intelligence app, straight out-of-the-box. It is being used to present the statistics of a particular organizational function to the end-user (primarily the stake-holders and the management). The app / dev team is quite confident of the security of this app.
During I disagreeessment, I have found the application to be preventing most of the attack vectors - XSS, Path Traversal, Access Control, Authorization, Session Strength etc.
However, I have been able to find & confirm SQL Injection, Information Leakage & a server configuration file.
The objective of this post is to seek suggestions on exploiting the SQL Injection vuln in the application. The app identifies the USING SELECT, ; , - -, UTL_http.request etc. statements & throws the error without any interesting data.
Although I have exploited the app to get the details of certain col_names & the base table_name, I am aiming at exploiting the app further via SQL Injection. For eg. elevated privs, modifying data,
system-level access, planting backdoors .i.e. strong results.
I would appreciate if you can share your experiences & inputs on this.