|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Oracle WebDb engine brain-damagse
From: McAllister, Andrew (McAllisterA
UMSYSTEM.EDU)Date: Wed Dec 20 2000 - 16:46:48 CST
- Next message: Jose Nazario: "Re: OpenBSD remote root"
- Previous message: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Maybe in reply to: Michal Zalewski: "Oracle WebDb engine brain-damagse"
- Next in thread: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: Kuznetsov, Vasily: "Re: Oracle WebDb engine brain-damagse"
- Maybe reply: McAllister, Andrew: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -----Original Message-----
> From: Michal Zalewski [mailto:lcamtufDIONE.IDS.PL]
> Sent: Tuesday, December 19, 2000 6:54 AM
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: Oracle WebDb engine brain-damagse
>
snip
> http://www.
>
> ORA-06550: line 5, column 2:
> PLS-00428: an INTO clause is expected in this SELECT statement
>
> Isn't that BEAUTIFUL? It is!:> If something is wrong, it will
> instruct you
> on proper syntax! I've never seen something like that... erm,
> not, I am
> lying :P But, neverthless, it looks awesome! No, I won't make another
> step, building working SELECT to browse thru databases (I do
> not want to
> be sued by BigCarCompany ;). Of course, SELECT isn't the only one
> possibility... Script kiddies, please read some book on
> OAS/SQL queries
> syntax. Or better, do not try this at all.
I'm not sure that a select would work as I believe that the query is running
inside a PL/SQL prepared statement where output is not sent to stdout, i.e.
the browser. In other words I believe your statement is translated into
something like:
begin
some_webdb_standard_stored_procedre_call;
select * from (tablename);
end;
This is not to say that you can't issue some dangerous commands as you
suggest, just that you won't see any data as a result. Also, I believe that
only data manipulation commands will work in this context e.g. delete,
update, insert. I don't believe definition commands will work, e.g. drop,
create. Again I don't have WebDB, so I cannot verify.
Assuming you know the name of an existing table try this:
Anyone with WebDB installed should be able to figure out some interesting
I don't know this product well enough to say the above query will work, but
Andrew McAllister
snip
>_______________________________________________________
http://www.
tables to trash.
I know of a similar, non-oracle, product that behaves exactly as Michal
Zalewski describes. That product vendor was notified moments ago of Michal
Zalewski's discovery (full credit given of course).
University of Missouri
>Michal Zalewski [lcamtuftpi.pl
>[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
>=--=> Did you know that clones never use mirrors? <=--=
- Next message: Jose Nazario: "Re: OpenBSD remote root"
- Previous message: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Maybe in reply to: Michal Zalewski: "Oracle WebDb engine brain-damagse"
- Next in thread: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Next in thread: Kuznetsov, Vasily: "Re: Oracle WebDb engine brain-damagse"
- Maybe reply: McAllister, Andrew: "Re: Oracle WebDb engine brain-damagse"
- Reply: Michal Zalewski: "Re: Oracle WebDb engine brain-damagse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]