2. Dr. Girija Narasimhan 2
SQL> CONN SYS AS SYSDBA
Enter password: ***
Connected.
Step 2: Create procedure “change_password”
Step 1: connect using sys
CREATE OR REPLACE PROCEDURE change_password(p_username
VARCHAR2 DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL)
IS
v_sql_stmt VARCHAR2(500);
BEGIN
v_sql_stmt := 'ALTER USER '||p_username ||'
IDENTIFIED BY '|| p_new_password;
EXECUTE IMMEDIATE v_sql_stmt;
END change_password;
3. Dr. Girija Narasimhan 3
Line 2: The change_password procedure accepts 2 parameters and uses them in the Alter
user statement. One parameter is username and another parameter is new password for the
user.
Line 5: The dynamic SQL contains concatenated input values. This is a SQL injection
vulnerability.
Step 3:
SQL> grant execute on change_password to public;
Grant succeeded.
To allow user to use this procedure, the execute privilege is granted to public. In general,
limit granting of privileges to PUBLIC.
4. Dr. Girija Narasimhan 4
Step 4: connect other user “hr” and try to change the “sys” user password
SQL> CONN hr
Enter password: **
Connected.
SQL> EXEC sys.change_password('SYS','ORCLE');
PL/SQL procedure successfully completed.
So, user “hr” successful at changing “sys” password. The change_password procedure is
owned by SYS, and by default, executes with SYS’S Privileges (definer’s rights)
5. CREATE OR REPLACE PROCEDURE change_password(p_username VARCHAR2
DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL)
AUTHID CURRENT_USER
IS
v_sql_stmt VARCHAR2(500);
BEGIN
v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY
'|| p_new_password;
EXECUTE IMMEDIATE v_sql_stmt;
END change_password;
Procedure created.
Dr. Girija Narasimhan 5
-- Procedure that uses invoker's rights
Now fix the change_password procedure so
that it is executed with invoker’s rights.
6. Dr. Girija Narasimhan 6
Line 3: Oracle8i Database introduced the AUTHID clause for procedures, functions and
packages. When set to AUTHID DEFINER (the default), then your program runs under "definer
rights." This means that any references to data objects (such as tables and views) are resolved
at compile time, based on the directly granted privileges of the definer or owner of the
program. Roles are ignored. If, on the other hand, you set the clause to AUTHID
CURRENT_USER, then any references to data objects are resolved at run time, based on the
privileges of the currently-connected schema, role-based privileges are now applied. So,
Adding AUTHID CURRENT_USER clause will ensure that the procedure is executed with
invoker's rights.
SQL> grant execute on change_password to public;
Grant succeeded.
7. Dr. Girija Narasimhan 7
Step 2: Now “hr” can no longer change sys password or any other user password
SQL> conn hr
Enter password: **
Connected.
SQL> exec sys.change_password('sys','ora');
BEGIN sys.change_password('sys','ora'); END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SYS.CHANGE_PASSWORD", line 8
ORA-06512: at line 1
(Or)
Here it is trying to change “scott” user
SQL> exec sys.change_password('scott','ti');
BEGIN sys.change_password('scott','ti'); END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SYS.CHANGE_PASSWORD", line 8
ORA-06512: at line 1
8. Dr. Girija Narasimhan 8
Step 3:”hr” should be able to change its own password
SQL> exec sys.change_password('hr','hr1');
PL/SQL procedure successfully completed.
SQL> conn hr
Enter password: *** (hr1)
Connected.
Another sql injection vulnerability
v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '||
p_new_password;
Line 7: dynamic SQL contains concatenated input values. Suppose if the attacker can try sql
injection vulnerability and give HR schema more table space quota unlimited
SQL> conn hr
Enter password: *** (hr1)
Connected.
9. Dr. Girija Narasimhan 9
SQL> exec sys.change_password('hr','oracle quota unlimited on
users');
BEGIN sys.change_password('hr','oracle quota unlimited on
users'); END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SYS.CHANGE_PASSWORD", line 8
ORA-06512: at line 1
The sql injection is not successful this time because the procedure is being executed with
invoker’s rights. The invoker’s right does not guarantee the elimination of SQL injection but it
can help to less severe/harsh from the exposure.
10. Dr. Girija Narasimhan 10
http://download.oracle.com/oll/tutorials/SQLInjection/index.htm
Reference: