Bugtraq mailing list archives
Re: Oracle WebDb engine brain-damagse
From: "Kuznetsov, Vasily" <VKuznetsov () MICROTEST RU>
Date: Thu, 21 Dec 2000 11:43:39 +0500
-----Original Message----- From: McAllister, Andrew [mailto:McAllisterA () umsystem edu] Sent: Thursday, December 21, 2000 3:47 AM To: BUGTRAQ () securityfocus com Subject: Re: [BUGTRAQ] Oracle WebDb engine brain-damagse
...
I'm not sure that a select would work as I believe that the query is running inside a PL/SQL prepared statement where output is not sent to stdout, i.e. the browser. In other words I believe your statement is translated into something like: begin some_webdb_standard_stored_procedre_call; select * from (tablename); end;
Looks same to me
This is not to say that you can't issue some dangerous commands as you suggest, just that you won't see any data as a result. Also,
Attacker could probably use standard WebDB means of output to
get the data to his browser. something like
for i in (select...) loop
some_web_db_output_proc(...);
end loop;
would probably do the trick.
I believe that only data manipulation commands will work in this context e.g. delete, update, insert. I don't believe definition commands will work, e.g. drop, create. Again I don't have WebDB, so I cannot verify.
DDL commands can probably be issued via execute immediate, although I too don't have WebDB around to check. Vasily Kuznetsov
Current thread:
- Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- <Possible follow-ups>
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- Re: Oracle WebDb engine brain-damagse McAllister, Andrew (Dec 20)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse sporty o'one (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Kuznetsov, Vasily (Dec 21)