Defcon Presentation about an Oracle Worm, oap_hacker and bsqlbf

Sumit Siddharth has published his Defcon presentation about „The Making of Second SQL Injection Worm (Oracle Edition)„.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool „oap_hacker.pl“ which allows to run OS commands via Java. oap_hacker.pl and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool darkORASQLi.py to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm ora_w0rm.pl is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Oracle Worm 1

Oracle Worm 2

Oracle Worm 3

Oracle Worm 4

Very interesting work. Thanks Sumit for this presentation.

Comments are closed.