Hello all,
I wrote a blog post about exploitation via error based sql injection
of an oracle 11g database based web application and I thought I may
share it with the lists. In case anyone is interested the full blog
post can be found in
http://zqyves.wordpress.com/2011/07/24/error-based-sql-injection-in-oracle-11g/.
To cut a long story short :
- Oracle 11g has introduced the concept of access control on network
related function ( by default they are only accessible by SYS ) so one
cannot use utl_inaddr.get_host_name of utl_http.request and their
derivatives to get data either in- or out-of-band respectively..
- A couple of other functions that are mentioned in
http://www.red-database-security.com/wp/oracle_sql_injection_2009.pdf
where either not accessible to me or not present in the supporting db.
Researching in to the database I found one function that was both
accessible and its output could be controlled by user input. This
function is DBMS_XMLGEN.GETXML (more info on that here
http://psoug.org/reference/dbms_xmlgen.html) and the following is a
valid sql injection string:
t' or '1'=to_char(select dbms_xmlgen.getxml('select "'||(select user
from sys.dual)||'" from sys.dual') from sys.dual)--
The error output will be something in the form of ORA-00904 "SCOTT":
invalid identifier.
The caveat is that the returned data cannot be more than 30 characters
long, but you can use substr() to control that and "walk" the desired
value.
Does anyone know of other functions and what rights do they need eg.
available to PUBLIC whose output can be controlled and used in an
error based sql injection scenario?
Best regards,
./Zacharias
Hello all,
I wrote a blog post about exploitation via error based sql injection
of an oracle 11g database based web application and I thought I may
share it with the lists. In case anyone is interested the full blog
post can be found in
http://zqyves.wordpress.com/2011/07/24/error-based-sql-injection-in-oracle-11g/.
To cut a long story short :
1) Oracle 11g has introduced the concept of access control on network
related function ( by default they are only accessible by SYS ) so one
cannot use utl_inaddr.get_host_name of utl_http.request and their
derivatives to get data either in- or out-of-band respectively..
2) A couple of other functions that are mentioned in
http://www.red-database-security.com/wp/oracle_sql_injection_2009.pdf
where either not accessible to me or not present in the supporting db.
Researching in to the database I found one function that was both
accessible and its output could be controlled by user input. This
function is DBMS_XMLGEN.GETXML (more info on that here
http://psoug.org/reference/dbms_xmlgen.html) and the following is a
valid sql injection string:
t' or '1'=to_char(select dbms_xmlgen.getxml('select "'||(select user
from sys.dual)||'" from sys.dual') from sys.dual)--
The error output will be something in the form of ORA-00904 "SCOTT":
invalid identifier.
The caveat is that the returned data cannot be more than 30 characters
long, but you can use substr() to control that and "walk" the desired
value.
Does anyone know of other functions and what rights do they need eg.
available to PUBLIC whose output can be controlled and used in an
error based sql injection scenario?
Best regards,
./Zacharias