Bugtraq mailing list archives
Re: Oracle WebDb engine brain-damagse
From: "McAllister, Andrew" <McAllisterA () UMSYSTEM EDU>
Date: Wed, 20 Dec 2000 16:46:48 -0600
-----Original Message----- From: Michal Zalewski [mailto:lcamtuf () DIONE IDS PL] Sent: Tuesday, December 19, 2000 6:54 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Oracle WebDb engine brain-damagse
snip
http://www.<bcc>.oo.uk/somedir/select%09*%09from%09(tablename) ORA-06550: line 5, column 2: PLS-00428: an INTO clause is expected in this SELECT statement Isn't that BEAUTIFUL? It is!:> If something is wrong, it will instruct you on proper syntax! I've never seen something like that... erm, not, I am lying :P But, neverthless, it looks awesome! No, I won't make another step, building working SELECT to browse thru databases (I do not want to be sued by BigCarCompany ;). Of course, SELECT isn't the only one possibility... Script kiddies, please read some book on OAS/SQL queries syntax. Or better, do not try this at all.
I'm not sure that a select would work as I believe that the query is running inside a PL/SQL prepared statement where output is not sent to stdout, i.e. the browser. In other words I believe your statement is translated into something like: begin some_webdb_standard_stored_procedre_call; select * from (tablename); end; This is not to say that you can't issue some dangerous commands as you suggest, just that you won't see any data as a result. Also, I believe that only data manipulation commands will work in this context e.g. delete, update, insert. I don't believe definition commands will work, e.g. drop, create. Again I don't have WebDB, so I cannot verify. Assuming you know the name of an existing table try this: http://www.<bcc>.oo.uk/somedir/delete%09from%09tablename Anyone with WebDB installed should be able to figure out some interesting tables to trash. I don't know this product well enough to say the above query will work, but I know of a similar, non-oracle, product that behaves exactly as Michal Zalewski describes. That product vendor was notified moments ago of Michal Zalewski's discovery (full credit given of course). Andrew McAllister University of Missouri snip
_______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =--=> Did you know that clones never use mirrors? <=--=
Current thread:
- Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- <Possible follow-ups>
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 20)
- Re: Oracle WebDb engine brain-damagse McAllister, Andrew (Dec 20)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse sporty o'one (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Michal Zalewski (Dec 22)
- Re: Oracle WebDb engine brain-damagse Kuznetsov, Vasily (Dec 21)