2 days ago I uploaded my HackInTheBox 2007 presentation “Hacking Hardened and Patched Oracle Databases” from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …
I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
set heading off
select ‘drop table ‘||table_name||’ cascade constraints ;’ from dba_tables where owner=’RDS';
The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called “sys.aud$” in the schema “RDS” it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.
Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).
The following SQL statements are correct but sometimes there are side effects…:
create table ” ‘ or 1=1 –” (a varchar2(1));
create table “<script>alert(document.cookie)” (“</script>” varchar2(1));
create table “!rm -Rf /” (a varchar2(1));
create table “host calc” (a varchar2(1));