Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2004
  • Last Modified:

sql injection to select utl_inaddr.get_host_address and XS$CACHE_DELETE

found that someone use sql injection to run this sql in my oracle database via web application. I don't get his purpose. why use utl_inaddr.get_host_address and number of columns in XS$CACHE_DELETE???

select utl_inaddr.get_host_address(((
SELECT CAST (COUNT (column_name) AS CHAR (10))
  FROM all_tab_columns
 WHERE table_name =
             CHR (88)
          || CHR (83)
          || CHR (36)
          || CHR (67)
          || CHR (65)
          || CHR (67)
          || CHR (72)
          || CHR (69)
          || CHR (95)
          || CHR (68)
          || CHR (69)
          || CHR (76)
          || CHR (69)
          || CHR (84)
          || CHR (69)
))) from dual

Open in new window

0
Hoboly
Asked:
Hoboly
  • 4
  • 3
2 Solutions
 
sdstuberCommented:
Do you have a table called "XS$CACHE_DELETE"  ?


The purpose of using utl_inaddr.get_host_address  is a quirk of the error message returned by the function.  If the host name passed in produces an error, that "name" will be returned as part of the error

For example....

select utl_inaddr.get_host_address('something that will produce an error') from dual

ORA-29257: host something that will produce an error unknown
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Open in new window


So, by nesting a query inside the function call , the query is executed and the output of the query is taken as a host name that will likely be illegal and generate an error.  Then that illegal text will be returned as part of the error message
0
 
HobolyAuthor Commented:
no XS$DELETE
but these is a table XS$CACHE_DELETE

SQL> desc XS$CACHE_DELETE
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ_TYPE                                           NUMBER(2)
 NAME                                               VARCHAR2(4000)
 DEL_DATE                                  NOT NULL TIMESTAMP(6)

SQL>

should be standard oracle 11g table
0
 
HobolyAuthor Commented:
thanks Sdstuber
but I don't get it why COUNT (column_name)  into utl_inaddr.get_host_address.
if he wants to get the ip, he can just use utl_inaddr.get_host_address(host name) instead of utl_inaddr.get_host_address(column count)
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
sdstuberCommented:
He doesn't want an ip address, he wants the query results.
That's the key to the injection.  By failing you get to see the inner query results.
Or by constructing a query that returns a numeric result that number will appear as part of an ip address even though it really isn't one.


Try this...

SELECT UTL_INADDR.get_host_address(
           'There are ' || (SELECT COUNT(*) FROM dba_tables) || ' tables in this database'
       )
  FROM DUAL;

You should get an error something like this.
The 2923 will be vary based on your system.


ORA-29257: host There are 2923 tables in this database unknown



As I said above, the inner query is executed and the results are returned in the error.
0
 
sdstuberCommented:
XS$CACHE_DELETE - sorry, I posted that then saw my mistake and corrected it.

I don't know of a specific hack to utilize that table or its contents; but it's mere existence would tell the hacker that XDB has been installed and that knowledge can provide a new attack vector.
0
 
sdstuberCommented:
Actually, on further review of the initial query,  the error message part probably isn't going to happen.  Sorry for the confusion

If you run the injection query you should get either

0.0.0.0    -- meaning you do not have the table, i.e. XDB is not installed
 or
0.0.0.3    -- meaning you do have the table, i.e XDB is installed


Using the same technique though,  you can execute other queries and check the error messages to see what the results of those queries will be
0
 
HobolyAuthor Commented:
Excellent explanation! Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now