Re: SQL Smuggling
Avi,
On Tue, 9 Sep 2008, douglen@xxxxxxxxxxx wrote:
[snip]
Of course, I'm looking forward to hearing about other instances of
this...
Interesting reasearch.
It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"
attack exploiting homoglyphic translation. As outlined by David Litchfield
in an old full-disclosure post [1]:
"It didn't take long to discover that this patch could be bypassed using
the following techinque: due to internationalization, an Oracle database
server will convert the ? character (value 0xFF) to a capital Y. The PLSQL
Gateway will not. Thus, if we request:
http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE
the gateway will happily pass it over to the database server where the ?
is conveted to a Y and we can gain access again".
Cheers,
[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html
--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/