|
||
|
Title: Pen-Testing Oracle Business Intelligence. Post by Pete Finnigan on Dec 22nd, 2008, 4:15pm Greetings All, I am performing a web app security assessment on an Oracle Business Intelligence application. The specs of the box is as follows: IIS 6.0 Win 2003 SP1 Oracle Business Intelligence - Siebel Analytics. Specifically, it is a Finance Business Intelligence app, straight out-of-the-box. It is being used to present the statistics of a particular organizational function to the end-user (primarily the stake-holders and the management). The app / dev team is quite confident of the security of this app. During I disagreeessment, I have found the application to be preventing most of the attack vectors - XSS, Path Traversal, Access Control, Authorization, Session Strength etc. However, I have been able to find & confirm SQL Injection, Information Leakage & a server configuration file. The objective of this post is to seek suggestions on exploiting the SQL Injection vuln in the application. The app identifies the USING SELECT, ; , - -, UTL_http.request etc. statements & throws the error without any interesting data. Although I have exploited the app to get the details of certain col_names & the base table_name, I am aiming at exploiting the app further via SQL Injection. For eg. elevated privs, modifying data, system-level access, planting backdoors .i.e. strong results. I would appreciate if you can share your experiences & inputs on this. Best Regards, positive.victor |
||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |