- 10.2.0.4 (1)
- 11g (3)
- Allgemein (11)
- BEA (1)
- checkpwd (4)
- CPUApr2008 (3)
- CPUJan2008 (2)
- CPUJul2007 (3)
- CPUOct2007 (1)
- CPUOct2008 (1)
- Data Vault (1)
- Database Vault (2)
- David Litchfield (4)
- Exploit (4)
- Forensics (3)
- Inguma (2)
- MacOS (1)
- Mary Ann (1)
- Oracle (2)
- Oracle Security (49)
- passwords (3)
- Podcast (1)
- rootkits (1)
- Security (9)
- Security Book (1)
- Sentrigo (1)
- software (2)
- Source Code Analysis (1)
- source code audit (3)
- SQL Injection (4)
- Tools (1)
- Trainings (1)
- 21 Nov 2008: Oracle Database Vault Privilege Escalation Exploit published
- 14 Okt 2008: Oracle Critical Patch Update October 2008 is out
- 20 Aug 2008: New Oracle bugs and BSQL Hacker
- 9 Aug 2008: July 2008 CPU Advisory - Windows Patch update for Oracle 10.1.0.5
- 29 Jul 2008: Exploit for Oracle Bea Weblogic - Apache Connector published
- 8 Mai 2008: Checkpwd 1.23 for MacOS Intel native released
- 16 Apr 2008: Oracle CPU April 2008 - Update
- 15 Apr 2008: Oracle Critical Patch Update April 2008 is out
- 11 Apr 2008: Looking Glass and Oracle 11g
- 11 Apr 2008: Oracle Critical Patch Update Pre-Release Announcement - April 2008
Create Table “!rm -Rf /” (”‘ or 1=1–” a varchar2(1));
2 days ago I uploaded my HackInTheBox 2007 presentation “Hacking Hardened and Patched Oracle Databases” from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …
I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
———————-
set heading off
spool /export/home/oracle/drop.sql
select ‘drop table ‘||table_name||’ cascade constraints ;’ from dba_tables where owner=’RDS’;
spool off;
@/export/home/oracle/drop.sql
———————–
The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called “sys.aud$” in the schema “RDS” it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.
Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).
The following SQL statements are correct but sometimes there are side effects…:
———————–
create table ” ‘ or 1=1 –” (a varchar2(1));
create table “<script>alert(document.cookie)” (”</script>” varchar2(1));
create table “!rm -Rf /” (a varchar2(1));
create table “host calc” (a varchar2(1));
———————–
3 Antworten auf “Create Table “!rm -Rf /” (”‘ or 1=1–” a varchar2(1));”
Antwort schreiben
Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.
14 Sep 2007 bei 07:52
Hallo
Habe das mal etwas durchgetestet. Sie haben recht, je nach Situation kann mit diesen Tabellennamen etwas passieren. Aber nicht in jedem Ihrer Beispiele.
drop table !rm -Rf / cascade constraints;
erzeugt z.B. einen Syntaxfehler, da ! das erste Zeichnen sein muss, damit ein Hostkommando ausgeführt wird.
Genauso werden in den anderen Fällen (ausser sys.aud$) keine Aktionen ausgeführt.
Trotzdem - klar dürfen keine solche Tabellennamen vorkommen - je nach Kontext kann etwas falsches/gefährliches rauskommen.
Tipp:
Ich schreibe Ihr Besispiellösch-Script nie so, wie sie es haben, da ich doch einige Applikationen mit Case-Sensitiven Tabellennamen kenne.
Deswegen etwas besser und etwas sicherer:
select ‘drop table “‘||table_name||’” cascade constraints ;” from dba_tables where owner=”RDS”;
Also Tabellennamen in Doublequotes. Dann wird auch die “richtige” sys.aud$ gelöscht.
Viele Grüsse
Sven
14 Sep 2007 bei 09:38
SQL> conn system/oracle
Connected.
SQL> create table “!rm -Rf /tmp/somestuff/” (a varchar2(1));
Table created.
SQL> drop table “!rm -Rf /tmp/somestuff/”;
Table dropped.
SQL> create table “!rm -Rf /tmp/somestuff/” (a varchar2(1));
Table created.
SQL> create synonym “DUAL” for “!rm -Rf /tmp/somestuff/”;
Synonym created.
SQL> desc dual
Name Null? Type
———— ——– ————-
A VARCHAR2(1)
SQL> select * from dual;
no rows selected
SQL> drop synonym “DUAL”;
Synonym dropped.
SQL> desc dual
Name Null? Type
———— ——– —————————————–
DUMMY VARCHAR2(1)
SQL> create synonym “DUAL” for “!rm -Rf /tmp/somestuff/”;
Synonym created.
SQL> select * from dual;
no rows selected
SQL> create or replace force view EMP
2 as
3 select * from “DUAL” ;
View created.
SQL> desc EMP
Name Null? Type
———— ——– —————————————–
A VARCHAR2(1)
SQL> create or replace force view DEPT
2 as
3 select * from “!rm -Rf /tmp/somestuff/”;
View created.
SQL> create or replace force view DEPT
2 as
3 select * from “!rm -Rf /tmp/somestuff/”;
View created.
SQL> desc DEPT
Name Null? Type
———— ——– —————————————–
A VARCHAR2(1)
SQL> select ‘drop table “‘||table_name||’” cascade constraints; ‘ from user_tables;
‘DROPTABLE”‘||TABLE_NAME||’”CASCADECONSTRAINTS;’
——————————————————————————–
drop table “LOGMNR_PARAMETER$” cascade constraints;
drop table “LOGMNR_SESSION$” cascade constraints;
drop table “MVIEW$_ADV_WORKLOAD” cascade constraints;
drop table “MVIEW$_ADV_BASETABLE” cascade constraints;
…..
drop table “!rm -Rf /tmp/somestuff/” cascade constraints;
…..
drop table “LOGMNR_GLOBAL$” cascade constraints;
drop table “LOGMNR_SESSION_EVOLVE$” cascade constraints;
drop table “LOGMNR_UID$” cascade constraints;
154 rows selected.
SQL> drop view emp;
View dropped.
SQL> drop view dept;
View dropped.
SQL> drop synonym dual;
Synonym dropped.
SQL> drop table “!rm -Rf /tmp/somestuff/”;
Table dropped.
14 Sep 2007 bei 09:40
In other words, Sven, don’t forget to use the double quotes…