Archive for September 12th, 2007

Create Table „!rm -Rf /“ („‚ or 1=1–“ a varchar2(1));

Mittwoch, September 12th, 2007

2 days ago I uploaded my HackInTheBox 2007 presentation „Hacking Hardened and Patched Oracle Databases“ from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …

I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
———————-

set heading off
spool /export/home/oracle/drop.sql

select ‚drop table ‚||table_name||‘ cascade constraints ;‘ from dba_tables where owner=’RDS‘;

spool off;

@/export/home/oracle/drop.sql

———————–

The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called „sys.aud$“ in the schema „RDS“ it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.

Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).

The following SQL statements are correct but sometimes there are side effects…:

———————–

create table “ ‚ or 1=1 –“ (a varchar2(1));

create table „<script>alert(document.cookie)“ („</script>“ varchar2(1));

create table „!rm -Rf /“ (a varchar2(1));

create table „host calc“ (a varchar2(1));

———————–