Comments on: Blind SQL Injection in Oracle http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/ Slavik's Blog Thu, 22 Jul 2010 15:04:28 -0700 hourly 1 http://wordpress.org/?v=3.0.1 By: Week 42 in Review – 2009 | Infosec Events http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/comment-page-1/#comment-4180 Week 42 in Review – 2009 | Infosec Events Wed, 03 Feb 2010 06:37:24 +0000 http://www.slaviks-blog.com/?p=187#comment-4180 [...] Blind SQL Injection in Oracle – slaviks-blog.com This post describes SQL injection types, examples for web apps and blind SQL injection into Oracle databases. [...] [...] Blind SQL Injection in Oracle – slaviks-blog.com This post describes SQL injection types, examples for web apps and blind SQL injection into Oracle databases. [...]

]]> By: Pete Finnigan http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/comment-page-1/#comment-3984 Pete Finnigan Thu, 15 Oct 2009 09:56:36 +0000 http://www.slaviks-blog.com/?p=187#comment-3984 Hi Slavik, Thanks for your reply. Yes i understood the paper and also what you were saying. i was just pointing at anything I could remember in the same "space" and also say "yes" I think you have a valid technique. cheers Pete Hi Slavik,

Thanks for your reply. Yes i understood the paper and also what you were saying. i was just pointing at anything I could remember in the same “space” and also say “yes” I think you have a valid technique.

cheers

Pete

]]> By: Slavik http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/comment-page-1/#comment-3983 Slavik Thu, 15 Oct 2009 02:32:02 +0000 http://www.slaviks-blog.com/?p=187#comment-3983 @Pete Hi Pete, Of course I'm familiar with the same techniques for SQL Server (it's even in the blog entry). What I was not familiar with is the technique for Oracle. To me, it sounds a very valid attack technique because DBMS_PIPE and such are usually open in the databases I've seen. @Pete

Hi Pete,

Of course I’m familiar with the same techniques for SQL Server (it’s even in the blog entry). What I was not familiar with is the technique for Oracle. To me, it sounds a very valid attack technique because DBMS_PIPE and such are usually open in the databases I’ve seen.

]]> By: Pete Finnigan http://www.slaviks-blog.com/2009/10/13/blind-sql-injection-in-oracle/comment-page-1/#comment-3981 Pete Finnigan Wed, 14 Oct 2009 13:00:38 +0000 http://www.slaviks-blog.com/?p=187#comment-3981 Hi Slavik, yes this is a valid technique. Chema Alonso wrote a paper including this technique two years ago. I linked to it in my SQL Server security blog at the time - http://database-security.petefinnigan.com/sqlserver/weblog/archives/00000009.htm - he also references a number of other sources such as Chris Anley and David Litchfield who also talk about this technique. cheers Pete Hi Slavik,

yes this is a valid technique. Chema Alonso wrote a paper including this technique two years ago. I linked to it in my SQL Server security blog at the time – http://database-security.petefinnigan.com/sqlserver/weblog/archives/00000009.htm – he also references a number of other sources such as Chris Anley and David Litchfield who also talk about this technique.

cheers

Pete

]]>