2 days ago I uploaded my HackInTheBox 2007 presentation „Hacking Hardened and Patched Oracle Databases“ from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …
I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
———————-
set heading off
spool /export/home/oracle/drop.sql
select ‚drop table ‚||table_name||‘ cascade constraints ;‘ from dba_tables where owner=’RDS‘;
spool off;
@/export/home/oracle/drop.sql
———————–
The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called „sys.aud$“ in the schema „RDS“ it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.
Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).
The following SQL statements are correct but sometimes there are side effects…:
———————–
create table “ ‚ or 1=1 –“ (a varchar2(1));
create table „<script>alert(document.cookie)“ („</script>“ varchar2(1));
create table „!rm -Rf /“ (a varchar2(1));
create table „host calc“ (a varchar2(1));
———————–