[18262] in bugtraq
Re: Oracle WebDb engine brain-damagse
daemon@ATHENA.MIT.EDU (McAllister, Andrew)
Thu Dec 21 01:06:20 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <D6F9BFB17375D3118C59006094516E99D5B248@UM-MAIL02>
Date: Wed, 20 Dec 2000 16:46:48 -0600
Reply-To: "McAllister, Andrew" <McAllisterA@UMSYSTEM.EDU>
From: "McAllister, Andrew" <McAllisterA@UMSYSTEM.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: Michal Zalewski [mailto:lcamtuf@DIONE.IDS.PL]
> Sent: Tuesday, December 19, 2000 6:54 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Oracle WebDb engine brain-damagse
>
snip
> http://www.<bcc>.oo.uk/somedir/select%09*%09from%09(tablename)
>
> ORA-06550: line 5, column 2:
> PLS-00428: an INTO clause is expected in this SELECT statement
>
> Isn't that BEAUTIFUL? It is!:> If something is wrong, it will
> instruct you
> on proper syntax! I've never seen something like that... erm,
> not, I am
> lying :P But, neverthless, it looks awesome! No, I won't make another
> step, building working SELECT to browse thru databases (I do
> not want to
> be sued by BigCarCompany ;). Of course, SELECT isn't the only one
> possibility... Script kiddies, please read some book on
> OAS/SQL queries
> syntax. Or better, do not try this at all.
I'm not sure that a select would work as I believe that the query is running
inside a PL/SQL prepared statement where output is not sent to stdout, i.e.
the browser. In other words I believe your statement is translated into
something like:
begin
some_webdb_standard_stored_procedre_call;
select * from (tablename);
end;
This is not to say that you can't issue some dangerous commands as you
suggest, just that you won't see any data as a result. Also, I believe that
only data manipulation commands will work in this context e.g. delete,
update, insert. I don't believe definition commands will work, e.g. drop,
create. Again I don't have WebDB, so I cannot verify.
Assuming you know the name of an existing table try this:
http://www.<bcc>.oo.uk/somedir/delete%09from%09tablename
Anyone with WebDB installed should be able to figure out some interesting
tables to trash.
I don't know this product well enough to say the above query will work, but
I know of a similar, non-oracle, product that behaves exactly as Michal
Zalewski describes. That product vendor was notified moments ago of Michal
Zalewski's discovery (full credit given of course).
Andrew McAllister
University of Missouri
snip
>_______________________________________________________
>Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
>[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
>=--=> Did you know that clones never use mirrors? <=--=
