WebApp Sec mailing list archives
RE: Oracle SQL Injection
From: "Integrigy" <alerts () integrigy com>
Date: Wed, 12 Jul 2006 08:48:14 -0500
Oracle does not support multiple statements per request, unless it is an anonymous PL/SQL block (which it does not appear to be because of the success of using a union). Because it is a select statement, you will not be able to insert/update/delete in anyway unless it is through a function. With SQL injection and select statements, your options are limited. Your best bet is to exploit standard Oracle functions and the application functions. Since you can query the application, you will want to look at the DBA_OBJECTS, DBA_SOURCE, and DBA_TAB_PRIVS tables to determine what functions can be called. Any called functions will not be able to write to the database unless they are marked PRAGMA TRANSACTION. You can find these by "select * from dba_source where upper(text) like '%PRAGMA TRANSACTION%'". I sometimes see the application change password function marked as PRAGMA TRANSACTION. You will be able to exploit the many buffer overflows and SQL injection in standard Oracle database functions depending on the security patch level. You can also have fun with the old standbys of UTL_HTTP and UTL_SMTP (turn it into a spamming machine). You can find more information at - http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectionAttacks.pdf Hope this helps. -----Original Message----- From: Mark Keegan [mailto:mark.keegan () paradise net nz] Sent: Tuesday, July 11, 2006 9:59 PM To: 'Tim' Cc: webappsec () securityfocus com Subject: RE: Oracle SQL Injection Yes that could work - I know that in MSSQL I would have to do syntax like ';exec sp_addlogin. Once again I don't think Oracle likes terminating the SELECT with a semicolon in this manner.. Maybe as you say if there is a proc or function I can make use of in the subselect that might work. Anyone with a suggestion?? -----Original Message----- From: Tim [mailto:tim-security () sentinelchicken org] Sent: Wednesday, 12 July 2006 2:31 p.m. To: Mark Keegan Cc: webappsec () securityfocus com Subject: Re: Oracle SQL Injection
Thanks for the reply Tim. Yes I have read these articles and also the PeteFinnigan.com site. They are both very good resources but although they allude to being able to perform UPDATES etc I couldn't see a good
example.
As for the SUBSELECT suggestion, I did think about that one myself however I didn't know you can embed UPDATES or DELETES within a SUBSELECT. Could you please provide some sample syntax on this.
Hmm, perhaps you're right, I don't see anything indicating you can use an update/delete/insert in a subquery. I'm no Oracle expert and I don't have a system to test on right now. Can you call built-in stored procedures from your point of injection? Maybe some of them will be of use to you. good luck, tim ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- Oracle SQL Injection Mark Keegan (Jul 11)
- Re: Oracle SQL Injection Tim (Jul 11)
- Re: Oracle SQL Injection Cesar (Jul 11)
- Re: Oracle SQL Injection Andrew van der Stock (Jul 11)
- RE: Oracle SQL Injection Mark Keegan (Jul 12)
- Re: Oracle SQL Injection Tim (Jul 12)
- RE: Oracle SQL Injection Mark Keegan (Jul 12)
- RE: Oracle SQL Injection Integrigy (Jul 12)
- Re: Oracle SQL Injection Tim (Jul 11)