- Alexander Kornbrust Oracle Security Blog - http://blog.red-database-security.com -

Oracle, white spaces and unexpected behaviour

Dieser Eintrag stammt von Alexander Kornbrust Am 15 Jan 2008 @ 12:47 In SQL Injection, Oracle Security | 3 Kommentare

Last week I saw the blog entry “[1] select 1.x from t1” from Laurent concerning white spaces in select statements and Tom Kyte’s answer with a short explanation. Tanel Poder wrote a blog entry “[2] Can you write a working SQL statement without using any whitespace?” too.

In my opinion and from the security perspective making whitespaces optional in SQL statements is a bad idea because it’s an unexpected behavior. And this is always a bad idea.

Here a real life example from Oracle itself:
Two years ago I found a SQL Injection Vulnerability in the web component of XMLDB.

The exploit was looking like:

http://url/xmldb?param1=’||(select sysdate from dual)||’

The result was a HTTP page containing the current date in an Oracle error message, a common exploit technique used by attackers.

The bugfix from the Oracle developer responsible for this component was to filter the URL for white spaces. Whenever a whitespace was part of the URL, the query was rejected. That’s why it was still possible to use functions (e.g. SYS_CONTEXT, …) but select statements were refused.

At that time I was not aware that SQL statements can be constructed without white spaces.

But with the knowledge from Laurent’s and Tanel’s blog entries I could rewrite the exploit

http://url/xmldb?param1=’||(select/**/sysdate/**/from”DUAL”)||’

A quick check in the Oracle PL/SQL code shows that some Oracle packages are using whitespaces as token separator (with the function instr()). I was also able to create a buffer overflow with alter session (11g) in SQL*Plus using this technique.  I will digg deeper…

Quick question to my readers: Is this just an Oracle behavior or also possible in other databases like SQLServer or DB2.


Dieser Artikel wurde ausgedruckt ab Alexander Kornbrust Oracle Security Blog: http://blog.red-database-security.com

URL zum Artikel: http://blog.red-database-security.com/2008/01/15/oracle-white-spaces-and-unexpected-behaviour/

URLs in this post:
[1] select 1.x from t1: http://laurentschneider.com/wordpress/2008/01/select-1x-from-t1.html
[2] Can you write a working SQL statement without using any whitespace?: http://blog.tanelpoder.com/2008/01/14/can-you-write-a-working-sql-statement-with
out-using-any-whitespace/

Klicken hier zum Drucken.