SlideShare a Scribd company logo

Sql injection invoker's right

Download as PPTX, PDF
Girija Muscut
Girija Muscut

SQL INJECTION,

Education
1 of 10
SQL injection using invoker's rights. Dr. Girija Narasimhan 1
Dr. Girija Narasimhan 2 SQL> CONN SYS AS SYSDBA Enter password: *** Connected. Step 2: Create procedure “change_password” Step 1: connect using sys CREATE OR REPLACE PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL) IS v_sql_stmt VARCHAR2(500); BEGIN v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; EXECUTE IMMEDIATE v_sql_stmt; END change_password;
Dr. Girija Narasimhan 3 Line 2: The change_password procedure accepts 2 parameters and uses them in the Alter user statement. One parameter is username and another parameter is new password for the user. Line 5: The dynamic SQL contains concatenated input values. This is a SQL injection vulnerability. Step 3: SQL> grant execute on change_password to public; Grant succeeded. To allow user to use this procedure, the execute privilege is granted to public. In general, limit granting of privileges to PUBLIC.
Dr. Girija Narasimhan 4 Step 4: connect other user “hr” and try to change the “sys” user password SQL> CONN hr Enter password: ** Connected. SQL> EXEC sys.change_password('SYS','ORCLE'); PL/SQL procedure successfully completed. So, user “hr” successful at changing “sys” password. The change_password procedure is owned by SYS, and by default, executes with SYS’S Privileges (definer’s rights)
CREATE OR REPLACE PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL) AUTHID CURRENT_USER IS v_sql_stmt VARCHAR2(500); BEGIN v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; EXECUTE IMMEDIATE v_sql_stmt; END change_password; Procedure created. Dr. Girija Narasimhan 5 -- Procedure that uses invoker's rights Now fix the change_password procedure so that it is executed with invoker’s rights.
Dr. Girija Narasimhan 6 Line 3: Oracle8i Database introduced the AUTHID clause for procedures, functions and packages. When set to AUTHID DEFINER (the default), then your program runs under "definer rights." This means that any references to data objects (such as tables and views) are resolved at compile time, based on the directly granted privileges of the definer or owner of the program. Roles are ignored. If, on the other hand, you set the clause to AUTHID CURRENT_USER, then any references to data objects are resolved at run time, based on the privileges of the currently-connected schema, role-based privileges are now applied. So, Adding AUTHID CURRENT_USER clause will ensure that the procedure is executed with invoker's rights. SQL> grant execute on change_password to public; Grant succeeded.
Dr. Girija Narasimhan 7 Step 2: Now “hr” can no longer change sys password or any other user password SQL> conn hr Enter password: ** Connected. SQL> exec sys.change_password('sys','ora'); BEGIN sys.change_password('sys','ora'); END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1 (Or) Here it is trying to change “scott” user SQL> exec sys.change_password('scott','ti'); BEGIN sys.change_password('scott','ti'); END; ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1
Dr. Girija Narasimhan 8 Step 3:”hr” should be able to change its own password SQL> exec sys.change_password('hr','hr1'); PL/SQL procedure successfully completed. SQL> conn hr Enter password: *** (hr1) Connected. Another sql injection vulnerability v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; Line 7: dynamic SQL contains concatenated input values. Suppose if the attacker can try sql injection vulnerability and give HR schema more table space quota unlimited SQL> conn hr Enter password: *** (hr1) Connected.
Dr. Girija Narasimhan 9 SQL> exec sys.change_password('hr','oracle quota unlimited on users'); BEGIN sys.change_password('hr','oracle quota unlimited on users'); END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1 The sql injection is not successful this time because the procedure is being executed with invoker’s rights. The invoker’s right does not guarantee the elimination of SQL injection but it can help to less severe/harsh from the exposure.
Dr. Girija Narasimhan 10 http://download.oracle.com/oll/tutorials/SQLInjection/index.htm Reference:

Recommended

Presentation cs313 (1)
Presentation cs313 (1)Presentation cs313 (1)
Presentation cs313 (1)
ไกรสรวัฒน์ ปัญโญ
 
Lesson3
Lesson3Lesson3
Lesson3
เจ้าพ่อ มาเฟีย
 
บทที่3
บทที่3บทที่3
บทที่3
Palm Unnop
 
Struts 2 – Interceptors
Struts 2 – InterceptorsStruts 2 – Interceptors
Struts 2 – Interceptors
Ducat India
 
SQLCLR Tips & Trics
SQLCLR Tips & TricsSQLCLR Tips & Trics
SQLCLR Tips & Trics
Daniel Joskovski
 
React and MobX: A Truly Reactive App
React and MobX: A Truly Reactive AppReact and MobX: A Truly Reactive App
React and MobX: A Truly Reactive App
Jacob Orshalick
 
Presentation
PresentationPresentation
Presentation
Santosh Kumar
 
Http session (Java)
Http session (Java)Http session (Java)
Http session (Java)
Mrittunjoy Das
 

Recommended

Presentation cs313 (1)
Presentation cs313 (1)Presentation cs313 (1)
Presentation cs313 (1)
ไกรสรวัฒน์ ปัญโญ
 
Lesson3
Lesson3Lesson3
Lesson3
เจ้าพ่อ มาเฟีย
 
บทที่3
บทที่3บทที่3
บทที่3
Palm Unnop
 
Struts 2 – Interceptors
Struts 2 – InterceptorsStruts 2 – Interceptors
Struts 2 – Interceptors
Ducat India
 
SQLCLR Tips & Trics
SQLCLR Tips & TricsSQLCLR Tips & Trics
SQLCLR Tips & Trics
Daniel Joskovski
 
React and MobX: A Truly Reactive App
React and MobX: A Truly Reactive AppReact and MobX: A Truly Reactive App
React and MobX: A Truly Reactive App
Jacob Orshalick
 
Presentation
PresentationPresentation
Presentation
Santosh Kumar
 
Http session (Java)
Http session (Java)Http session (Java)
Http session (Java)
Mrittunjoy Das
 
Creating data with the test data builder pattern
Creating data with the test data builder patternCreating data with the test data builder pattern
Creating data with the test data builder pattern
Alan Parkinson
 
JDBC (JAVA Database Connectivity)
JDBC (JAVA Database Connectivity)JDBC (JAVA Database Connectivity)
JDBC (JAVA Database Connectivity)
HimanshiSingh71
 
Data structures
Data structuresData structures
Data structures
Khalid Bana
 
What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2
Santosh Singh Paliwal
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to Hooks
Soluto
 
Test Data Builder Pattern
Test Data Builder PatternTest Data Builder Pattern
Test Data Builder Pattern
Alan Parkinson
 
Part 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.netPart 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.net
Girija Muscut
 
Narayana
NarayanaNarayana
Narayana
Girija Muscut
 
Part 9 report using vb.net
Part 9 report using vb.netPart 9 report using vb.net
Part 9 report using vb.net
Girija Muscut
 
Part 6 filter using table record in vb.net
Part 6 filter using table record in vb.netPart 6 filter using table record in vb.net
Part 6 filter using table record in vb.net
Girija Muscut
 
A Lap Around Visual Studio 2010
A Lap Around Visual Studio 2010A Lap Around Visual Studio 2010
A Lap Around Visual Studio 2010
Abram John Limpin
 
Part2 database connection service based using vb.net
Part2 database connection service based using vb.netPart2 database connection service based using vb.net
Part2 database connection service based using vb.net
Girija Muscut
 
MTLM Visual Studio 2010 ALM workshop - day1
MTLM Visual Studio 2010 ALM workshop - day1MTLM Visual Studio 2010 ALM workshop - day1
MTLM Visual Studio 2010 ALM workshop - day1
Clemens Reijnen
 
Disconnected Architecture and Crystal report in VB.NET
Disconnected Architecture and Crystal report in VB.NETDisconnected Architecture and Crystal report in VB.NET
Disconnected Architecture and Crystal report in VB.NET
Everywhere
 
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Bram de Jager
 
Overview of Visual Studio Team System 2010
Overview of Visual Studio Team System 2010Overview of Visual Studio Team System 2010
Overview of Visual Studio Team System 2010
joycsc
 
WPF: Working with Data
WPF: Working with DataWPF: Working with Data
WPF: Working with Data
LearnNowOnline
 
Database relationship
Database relationshipDatabase relationship
Database relationship
Girija Muscut
 
Visual studio 2010
Visual studio 2010Visual studio 2010
Visual studio 2010
Fitira
 
Part 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.netPart 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.net
Girija Muscut
 
Database programming in vb net
Database programming in vb netDatabase programming in vb net
Database programming in vb net
Zishan yousaf
 
Introduction to C#
Introduction to C#Introduction to C#
Introduction to C#
Guido Magrin
 

More Related Content

What's hot

Creating data with the test data builder pattern
Creating data with the test data builder patternCreating data with the test data builder pattern
Creating data with the test data builder pattern
Alan Parkinson
 
What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2
Santosh Singh Paliwal
 

What's hot (6)

Creating data with the test data builder pattern
Creating data with the test data builder patternCreating data with the test data builder pattern
Creating data with the test data builder pattern
 
JDBC (JAVA Database Connectivity)
JDBC (JAVA Database Connectivity)JDBC (JAVA Database Connectivity)
JDBC (JAVA Database Connectivity)
 
Data structures
Data structuresData structures
Data structures
 
What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2What is the difference between struts 1 vs struts 2
What is the difference between struts 1 vs struts 2
 
React new features and intro to Hooks
React new features and intro to HooksReact new features and intro to Hooks
React new features and intro to Hooks
 
Test Data Builder Pattern
Test Data Builder PatternTest Data Builder Pattern
Test Data Builder Pattern
 

Viewers also liked

Part 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.netPart 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.net
Girija Muscut
 
Part 6 filter using table record in vb.net
Part 6 filter using table record in vb.netPart 6 filter using table record in vb.net
Part 6 filter using table record in vb.net
Girija Muscut
 
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Bram de Jager
 
Part 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.netPart 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.net
Girija Muscut
 
Database programming in vb net
Database programming in vb netDatabase programming in vb net
Database programming in vb net
Zishan yousaf
 
Visual Studio Tools for Unity
Visual Studio Tools for UnityVisual Studio Tools for Unity
Visual Studio Tools for Unity
友太 渡辺
 
Relational Algebra
Relational AlgebraRelational Algebra
Relational Algebra
guest20b0b3
 

Viewers also liked (20)

Part 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.netPart 7 navigating through recordset in vb.net
Part 7 navigating through recordset in vb.net
 
Narayana
NarayanaNarayana
Narayana
 
Part 9 report using vb.net
Part 9 report using vb.netPart 9 report using vb.net
Part 9 report using vb.net
 
Part 6 filter using table record in vb.net
Part 6 filter using table record in vb.netPart 6 filter using table record in vb.net
Part 6 filter using table record in vb.net
 
A Lap Around Visual Studio 2010
A Lap Around Visual Studio 2010A Lap Around Visual Studio 2010
A Lap Around Visual Studio 2010
 
Part2 database connection service based using vb.net
Part2 database connection service based using vb.netPart2 database connection service based using vb.net
Part2 database connection service based using vb.net
 
MTLM Visual Studio 2010 ALM workshop - day1
MTLM Visual Studio 2010 ALM workshop - day1MTLM Visual Studio 2010 ALM workshop - day1
MTLM Visual Studio 2010 ALM workshop - day1
 
Disconnected Architecture and Crystal report in VB.NET
Disconnected Architecture and Crystal report in VB.NETDisconnected Architecture and Crystal report in VB.NET
Disconnected Architecture and Crystal report in VB.NET
 
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
Develop, Build, Package and Deploy Office Add-ins with Visual Studio - ESPC 2015
 
Overview of Visual Studio Team System 2010
Overview of Visual Studio Team System 2010Overview of Visual Studio Team System 2010
Overview of Visual Studio Team System 2010
 
WPF: Working with Data
WPF: Working with DataWPF: Working with Data
WPF: Working with Data
 
Database relationship
Database relationshipDatabase relationship
Database relationship
 
Visual studio 2010
Visual studio 2010Visual studio 2010
Visual studio 2010
 
Part 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.netPart 8 add,update,delete records using records operation buttons in vb.net
Part 8 add,update,delete records using records operation buttons in vb.net
 
Database programming in vb net
Database programming in vb netDatabase programming in vb net
Database programming in vb net
 
Introduction to C#
Introduction to C#Introduction to C#
Introduction to C#
 
Visual Studio Tools for Unity
Visual Studio Tools for UnityVisual Studio Tools for Unity
Visual Studio Tools for Unity
 
MSDN Presents: Visual Studio 2010, .NET 4, SharePoint 2010 for Developers
MSDN Presents: Visual Studio 2010, .NET 4, SharePoint 2010 for DevelopersMSDN Presents: Visual Studio 2010, .NET 4, SharePoint 2010 for Developers
MSDN Presents: Visual Studio 2010, .NET 4, SharePoint 2010 for Developers
 
Vb.Net Web Forms
Vb.Net Web FormsVb.Net Web Forms
Vb.Net Web Forms
 
Relational Algebra
Relational AlgebraRelational Algebra
Relational Algebra
 

Similar to Sql injection invoker's right

Cursor injection
Cursor injectionCursor injection
Cursor injection
fangjiafu
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
guestd83b546
 
SSMS-waitstats
SSMS-waitstatsSSMS-waitstats
SSMS-waitstats
E Blake
 

Similar to Sql injection invoker's right (20)

Cursor injection
Cursor injectionCursor injection
Cursor injection
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
 
Mysqlsecurityoptionsjan2021
Mysqlsecurityoptionsjan2021Mysqlsecurityoptionsjan2021
Mysqlsecurityoptionsjan2021
 
Introduction to MariaDb
Introduction to MariaDbIntroduction to MariaDb
Introduction to MariaDb
 
Lesson07-UsernamePasswordAuthenticationFilter.pdf
Lesson07-UsernamePasswordAuthenticationFilter.pdfLesson07-UsernamePasswordAuthenticationFilter.pdf
Lesson07-UsernamePasswordAuthenticationFilter.pdf
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Mysql connection
Mysql connectionMysql connection
Mysql connection
 
pl/sql Procedure
pl/sql Procedurepl/sql Procedure
pl/sql Procedure
 
Code injection
Code injectionCode injection
Code injection
 
Les14
Les14Les14
Les14
 
Less09 Data
Less09 DataLess09 Data
Less09 Data
 
Sql injection
Sql injectionSql injection
Sql injection
 
Userpasswrd
UserpasswrdUserpasswrd
Userpasswrd
 
Neutralizing SQL Injection in PostgreSQL
Neutralizing SQL Injection in PostgreSQLNeutralizing SQL Injection in PostgreSQL
Neutralizing SQL Injection in PostgreSQL
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Introduction to Struts 2
Introduction to Struts 2Introduction to Struts 2
Introduction to Struts 2
 
SSMS-waitstats
SSMS-waitstatsSSMS-waitstats
SSMS-waitstats
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 

More from Girija Muscut

More from Girija Muscut (20)

Tamil Nalvar
Tamil Nalvar Tamil Nalvar
Tamil Nalvar
 
Visualization using Tableau
Visualization using TableauVisualization using Tableau
Visualization using Tableau
 
Introduction to ml
Introduction to mlIntroduction to ml
Introduction to ml
 
Effective Visualization with Tableau
Effective Visualization with TableauEffective Visualization with Tableau
Effective Visualization with Tableau
 
Guruvayoor song with audio-Udayasthamana puja
Guruvayoor song with audio-Udayasthamana puja Guruvayoor song with audio-Udayasthamana puja
Guruvayoor song with audio-Udayasthamana puja
 
Lakshmi lalli with audio
Lakshmi lalli with audioLakshmi lalli with audio
Lakshmi lalli with audio
 
Bagyada laskhmi purandara dasa
Bagyada laskhmi purandara dasaBagyada laskhmi purandara dasa
Bagyada laskhmi purandara dasa
 
Lakshmi lalli
Lakshmi lalliLakshmi lalli
Lakshmi lalli
 
Amba nee irangaayenil - papanasam sivan song
Amba nee irangaayenil - papanasam sivan songAmba nee irangaayenil - papanasam sivan song
Amba nee irangaayenil - papanasam sivan song
 
Mahalakshmi jagan madha - papanasm sivan tamil song
Mahalakshmi jagan madha - papanasm sivan tamil songMahalakshmi jagan madha - papanasm sivan tamil song
Mahalakshmi jagan madha - papanasm sivan tamil song
 
Sowbhagayaha laskhmi varuvai nee tamil song
Sowbhagayaha laskhmi varuvai nee tamil songSowbhagayaha laskhmi varuvai nee tamil song
Sowbhagayaha laskhmi varuvai nee tamil song
 
Bega baro Bega baro Neela Megha Varna-Vadhiraja Theertha
Bega baro Bega baro Neela Megha Varna-Vadhiraja TheerthaBega baro Bega baro Neela Megha Varna-Vadhiraja Theertha
Bega baro Bega baro Neela Megha Varna-Vadhiraja Theertha
 
Rama Nama Bhajan
Rama Nama BhajanRama Nama Bhajan
Rama Nama Bhajan
 
Saratha devi song 1
Saratha devi song 1Saratha devi song 1
Saratha devi song 1
 
Saraswathi bhajan 1 with tamil meaning
Saraswathi bhajan 1 with tamil meaningSaraswathi bhajan 1 with tamil meaning
Saraswathi bhajan 1 with tamil meaning
 
Aneyu karadare -Purandara Dasar.
Aneyu karadare -Purandara Dasar.Aneyu karadare -Purandara Dasar.
Aneyu karadare -Purandara Dasar.
 
Maithriam Bhajatha with tamil meaning (lyrics)
Maithriam Bhajatha with tamil meaning (lyrics)Maithriam Bhajatha with tamil meaning (lyrics)
Maithriam Bhajatha with tamil meaning (lyrics)
 
Unit 4 scd2-exercise 1-solution
Unit 4 scd2-exercise 1-solutionUnit 4 scd2-exercise 1-solution
Unit 4 scd2-exercise 1-solution
 
Unit 2 - Slowly Changing Dimension Type 1 (SCD1) (insert)
Unit 2 - Slowly Changing Dimension Type 1 (SCD1) (insert)Unit 2 - Slowly Changing Dimension Type 1 (SCD1) (insert)
Unit 2 - Slowly Changing Dimension Type 1 (SCD1) (insert)
 
Slowly Changing Dimension Type 1 (SCD 1) exercise 2 solution insert and update
Slowly Changing Dimension Type 1 (SCD 1) exercise 2 solution insert and updateSlowly Changing Dimension Type 1 (SCD 1) exercise 2 solution insert and update
Slowly Changing Dimension Type 1 (SCD 1) exercise 2 solution insert and update
 

Recently uploaded

Recently uploaded (20)

Philosophy of china and it's charactistics
Philosophy of china and it's charactisticsPhilosophy of china and it's charactistics
Philosophy of china and it's charactistics
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 

Sql injection invoker's right

  • 1. SQL injection using invoker's rights. Dr. Girija Narasimhan 1
  • 2. Dr. Girija Narasimhan 2 SQL> CONN SYS AS SYSDBA Enter password: *** Connected. Step 2: Create procedure “change_password” Step 1: connect using sys CREATE OR REPLACE PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL) IS v_sql_stmt VARCHAR2(500); BEGIN v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; EXECUTE IMMEDIATE v_sql_stmt; END change_password;
  • 3. Dr. Girija Narasimhan 3 Line 2: The change_password procedure accepts 2 parameters and uses them in the Alter user statement. One parameter is username and another parameter is new password for the user. Line 5: The dynamic SQL contains concatenated input values. This is a SQL injection vulnerability. Step 3: SQL> grant execute on change_password to public; Grant succeeded. To allow user to use this procedure, the execute privilege is granted to public. In general, limit granting of privileges to PUBLIC.
  • 4. Dr. Girija Narasimhan 4 Step 4: connect other user “hr” and try to change the “sys” user password SQL> CONN hr Enter password: ** Connected. SQL> EXEC sys.change_password('SYS','ORCLE'); PL/SQL procedure successfully completed. So, user “hr” successful at changing “sys” password. The change_password procedure is owned by SYS, and by default, executes with SYS’S Privileges (definer’s rights)
  • 5. CREATE OR REPLACE PROCEDURE change_password(p_username VARCHAR2 DEFAULT NULL,p_new_password VARCHAR2 DEFAULT NULL) AUTHID CURRENT_USER IS v_sql_stmt VARCHAR2(500); BEGIN v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; EXECUTE IMMEDIATE v_sql_stmt; END change_password; Procedure created. Dr. Girija Narasimhan 5 -- Procedure that uses invoker's rights Now fix the change_password procedure so that it is executed with invoker’s rights.
  • 6. Dr. Girija Narasimhan 6 Line 3: Oracle8i Database introduced the AUTHID clause for procedures, functions and packages. When set to AUTHID DEFINER (the default), then your program runs under "definer rights." This means that any references to data objects (such as tables and views) are resolved at compile time, based on the directly granted privileges of the definer or owner of the program. Roles are ignored. If, on the other hand, you set the clause to AUTHID CURRENT_USER, then any references to data objects are resolved at run time, based on the privileges of the currently-connected schema, role-based privileges are now applied. So, Adding AUTHID CURRENT_USER clause will ensure that the procedure is executed with invoker's rights. SQL> grant execute on change_password to public; Grant succeeded.
  • 7. Dr. Girija Narasimhan 7 Step 2: Now “hr” can no longer change sys password or any other user password SQL> conn hr Enter password: ** Connected. SQL> exec sys.change_password('sys','ora'); BEGIN sys.change_password('sys','ora'); END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1 (Or) Here it is trying to change “scott” user SQL> exec sys.change_password('scott','ti'); BEGIN sys.change_password('scott','ti'); END; ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1
  • 8. Dr. Girija Narasimhan 8 Step 3:”hr” should be able to change its own password SQL> exec sys.change_password('hr','hr1'); PL/SQL procedure successfully completed. SQL> conn hr Enter password: *** (hr1) Connected. Another sql injection vulnerability v_sql_stmt := 'ALTER USER '||p_username ||' IDENTIFIED BY '|| p_new_password; Line 7: dynamic SQL contains concatenated input values. Suppose if the attacker can try sql injection vulnerability and give HR schema more table space quota unlimited SQL> conn hr Enter password: *** (hr1) Connected.
  • 9. Dr. Girija Narasimhan 9 SQL> exec sys.change_password('hr','oracle quota unlimited on users'); BEGIN sys.change_password('hr','oracle quota unlimited on users'); END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SYS.CHANGE_PASSWORD", line 8 ORA-06512: at line 1 The sql injection is not successful this time because the procedure is being executed with invoker’s rights. The invoker’s right does not guarantee the elimination of SQL injection but it can help to less severe/harsh from the exposure.
  • 10. Dr. Girija Narasimhan 10 http://download.oracle.com/oll/tutorials/SQLInjection/index.htm Reference: