Posts

Showing posts from December, 2012

SQL Injection - Oracle as a port scanner

Have you ever used an SQL Injection flaw to perform a port scanner? It's known that common databases such as Oracle and SQLServer have special packages that can perform HTTP connections, build sockets, get host names and other information about networks. How about to use such resources to perform a port scanner exploiting a SQL injection flaw? It's useful to discover other assets in the network and to help us to map the environment. In our case, the DBMS was Oracle 10g. Usually we use the package URL_HTTP package to perform out of band SQL injection attack, however we are going to use it to perform a port scanner. Let's take a look at a practical example performed on a penetration testing: http://target/index_content. php?id=163447||utl_http. request('10.1.0.141:445')-- In this case, the value of the vulnerable parameter id is concatenated with the result of utl_http.request. We can manipulate the IP address as well the ports numbers. When the co