Archive for the ‘SQL Injection’ Category

Oracle Openworld 2009 – SQL Injection Presentation

Dienstag, Oktober 13th, 2009

Just back from a short trip to the Oracle Openworld where I gave a presentation „SQL Injection Crash Course for Developers„. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh
Netsparker GUI

Supports the execution of SQL statements and OS commands on the DB server.

Netsparker Command Window

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK – Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Defcon Presentation about an Oracle Worm, oap_hacker and bsqlbf

Mittwoch, August 5th, 2009

Sumit Siddharth has published his Defcon presentation about „The Making of Second SQL Injection Worm (Oracle Edition)„.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool „oap_hacker.pl“ which allows to run OS commands via Java. oap_hacker.pl and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool darkORASQLi.py to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm ora_w0rm.pl is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Oracle Worm 1

Oracle Worm 2

Oracle Worm 3

Oracle Worm 4

Very interesting work. Thanks Sumit for this presentation.

Oracle & Metasploit Presentation from Blackhat USA are already online

Mittwoch, Juli 29th, 2009

The Oracle & Metasploit material (PDF, Slides) from the Blackhat 2009 conference from Chris Gates is already online. A short review will be done tomorrow.

SQLMap 0.7-1 released

Sonntag, Juli 26th, 2009

Bernardo Damele has released a new version of his SQL Injection Tool SQLMap 0.7.1. This version comes with new features like support for Mac OSX, support of Metasploit wrapping functions plus several bugfixes (changelog).

Oracle CPU July 2009 published

Mittwoch, Juli 15th, 2009

Yesterday night Oracle released the July 2009 CPU. This CPU contains 30 fixes for several Oracle products. 10 security issues are fixed in the Oracle Database Server.As always the usual suspects (Esteban, David, Joxean, Alexandr, Dennis) and a few others reported issues in Oracle products.

The 3 most critical bugs this time are related to the TNS Listener and one of the bugs be exploited without authentication.These issues CVE-2009-1020, CVE-2009-1019, CVE-2009-1963 are rated with CVSS 9 (for Windows), 7.5 for Unix.
Oracle has also fixed 3 of my findings in the database (3 out of 10 :-))

  • SQL Injection in DBMS_EXPORT_EXTENSION (previously fixed in April 2006)
  • Information Disclosure (Password Hash) in Database Vault
  • Information Disclosure (Password Hash) in Audit Vault

More details will be published within the next few days. The updates for our Oracle database scanner Repscan (free trial available) will be released within the next 2 days.