<<< Date Index >>>     <<< Thread Index >>>

Re: SQL Smuggling



Avi,

On Tue, 9 Sep 2008, douglen@xxxxxxxxxxx wrote:

[snip]

Of course, I'm looking forward to hearing about other instances of this...

Interesting reasearch.

It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling" attack exploiting homoglyphic translation. As outlined by David Litchfield in an old full-disclosure post [1]:

"It didn't take long to discover that this patch could be bypassed using the following techinque: due to internationalization, an Oracle database server will convert the ? character (value 0xFF) to a capital Y. The PLSQL Gateway will not. Thus, if we request:

http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE

the gateway will happily pass it over to the database server where the ? is conveted to a Y and we can gain access again".

Cheers,

[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/