A while ago I was on a web site where I was using the site’s search engine, when I accidentally entered a quote after my search term and hit enter in a reflex (I swear I didn’t want to test their site on SQL Injection on purpose). But nevertheless this is what I got:
As you can see the error that returned gives you a SQL statement. While they probably put it there to make it easier to solve possible problems, it gives us quite an insight in their system. Actually I think it’s a bit too much insight for comfort, if I were them.
The fact that the site shows the SQL statement that went wrong already is a great risk. Why? I’ll tell you why: SQL Injection. Normally it’s the hackers job to find out what SQL you are running and to try to misuse it. Maybe add the records from other tables or data dictionary views to the result on the page. Perhaps change data or alter or drop an object. You’re not supposed to make it this easy.
But this error message actually tells much more. To name a few things:
- The ORA-00911 error shows that the database is an Oracle database.
- Apparently OraOLEDB is used to communicate with the database. Possibly from the web/application server. Also OraOLEDB might point to certain programming languages used. Dot.net maybe?
- The select statement tells you about how objects, like tables and views, are named.
- One of the table names begins with “mv_”. Chances are it’s a materialized view. Chances are there is a database link to the source database. That link isn’t necessary but it’s not uncommon that DBA’s put one there for maintenance.
- The “contains” function is part of the Oracle Text option. Hackers might want to try some exploits in older versions of Oracle Text.
So as you can see one error message like this one can reveal a lot of pieces in the puzzle that hackers are looking for. Because that’s what they do. They collect information before (or while) they hack you.
I’ve notified the owners of the web site that they have a problem in December 2009, but today I checked the site and this revealing error still appears. Possibly they wait until they are hacked first, or until I remind them once more that this is a big security risk.