prev
next
out of 31

SQL PLSQL Injection Primer

Tags:

Embed Size (px)

Citation preview

Aelphaeis Mangarae [IRC.SecurityChat.Org +6697/6667 #BHF]

[http://blackhat-forums.com]

Title: Assault on

PL/SQL - Injection

Date: September 7th 2008 Author:Aelphaeis Mangarae

Table of ContentsIntroduction A Glance at Oracle APEX-What is Oracle APEX? -Architecture of Oracle APEX -mod_plsql / XML DB HTTP

1 4

Oracle Database Permissions-Invoker vs. Definer Rights

7 8

What Is SQL Injection?-Introduction -What Programming Languages are Vulnerable? -Example: SQL Injection Exploitation -SQL Injection Oracle vs. Other DBMS

PL/SQL Overview-Introduction -PL/SQL Data Types -Procedures, Functions & Packages -Executing Database Commands -PL/SQL Triggers -PL/SQL Cursors

12

PL/SQL Injection-What is PL/SQL Injection? -Injecting into a SELECT Query -Injecting into DML -Database Privilege Escalation -Technique: Autonomous Transaction

21

PLEASE READ Greetz

IntroductionIn this paper I will be discussing Injection into Oracle PL/SQL database objects. Like many vulnerabilities PL/SQL Injection is possible because user input is not validated or in other cases the validation is not sufficient and can be bypassed. This paper will cover a bit of Information on Oracle Application Express (APEX) which I will be using (the SQL Command Line) for this paper. I will also start with an Introduction into SQL Injection and then an Introduction into PL/SQL. This paper is meant for the beginner and you should find I have included the information you need to get started with exploitation of PL/SQL Injection. This paper does not go over auditing Oracle database objects for vulnerabilities. The examples given are simple and for educational purposes, although real world vulnerabilities arent going to be too much different. There are vulnerabilities in some of the thousands of packages, procedures and functions provided by Oracle in the DBMS. The main place where you are going to find Injection vulnerabilities are packages, procedures or functions written by developers of Oracle systems.

A Glance at Oracle Application ExpressWhat Is Oracle APEXOracle Application Express (previously HTMLDB, before 2006) is free web based environment for creating web application front ends (rapid application development) for an Oracle DBMS. Oracle APEX is installed with Oracle 11g and I will assume later versions as well. Oracle APEX is compatible with Oracle 9.2 or higher DBMS.

Architecture of Oracle APEX

With Oracle Database 11.1, you can remove Oracle HTTP Server (Apache) from the architecture and replace it with the embedded PL/SQL gateway. The embedded PL/SQL gateway runs in the XML DB HTTP server in the Oracle database and includes the core features of mod_plsql, but does not require the Oracle HTTP Server powered by Apache. The graphic below illustrates the Oracle Application Express architecture using the Embedded PL/SQL Gateway.

mod_plsql / XML DB HTTPMOD_PLSQL is an Apache (Web Server) extension module that allows one to create dynamic web pages from PL/SQL packages and stored procedures. It is ideal for developing fast and flexible applications that can run on the Internet or an Intranet. MOD_PLSQL was formerly called the Oracle PL/SQL Cartridge and OWA (Oracle Web Agent). http://www.orafaq.com/faqmodpl.htm Usually if XML XB HTTP that is built into Oracle APEX isnt used then mod_plsql is used with Apache web server. You can call a Procedure or Function (outside or inside of a Package) from the web through mod_plsql and XML DB HTTP. Example: http://serverdomain.com:8080/apex/SYSTEM.GET_EMP_BY_LASTNAME?LAST_NAME=MANGARAE

What Can You Create With Oracle APEX?As I mentioned above APEX is built for rapid application development, you can create an array of things relating to your database(s). You can create reports, forms, charts and other things built into APEX and of course functionality added in by the programmer. Data Entry Form

Report

Oracle APEX & PL/SQL PL/SQL Packages, Procedures and Functions can be created in the SQL Workshop.

Code in the database can be called from Forms, Reports and other things generated by Oracle APEX.

I will be using the SQL Command Line in Oracle APEX shown below.

Oracle Database PermissionsInvoker vs. Definer RightsBy default in Oracle DBMS procedures, functions, packages etc will execute with the rights of the definer. To give you an example, say you had a procedure created by user STEVEN, and user JAMES had the rights to execute that procedure, that procedure would always execute with the rights of the definer, unless it is specified otherwise in the procedure. When using Invoker Rights the procedure or function will execute with the rights of the invoker as well as the context of the Schema of that user. Invoker rights were introduced into Oracle (since 8i) for the purpose of allowing security; it isnt a good idea to allow a procedure to be executed by another user with out using Invoker rights. Invokers Rights are implemented into a PL/SQL Procedure or Function using the AUTHID keyword. An example below: CREATE PROCEDURE create_dept ( my_deptno NUMBER, my_dname VARCHAR2, my_loc VARCHAR2) AUTHID CURRENT_USER AS BEGIN INSERT INTO dept VALUES (my_deptno, my_dname, my_loc); END; Who Is The Current User? If an invoker rights Procedure, Function is the first code called; the current user is the session user. That remains true until a procedure or function created with definer rights is called, in which case the owner of that Procedure or Function becomes the current user. If the definer rights procedure or function calls any code defined with invokers rights, it will execute with the privileges of the owner. When the definer rights code exits, control reverts to the previous current user.

What Is SQL Injection?IntroductionSQL Injection vulnerabilities occur in a wide range of programming languages, they occur for the most part only because the Programmer(s) does not know any better about his insecure programming practice(s) or is simply lazy and failed to do appropriate input validation. According to Wikipedia: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. This is true, however saying occurring in the database layer of an application is a very brief thing to say. SQL Injection is NOT a vulnerability that has anything to do with poor security on the part of the DBMS developer. Although when the vulnerability is exploited any poor security in the DBMS can be exploited by an attacker. SQL Injection is the injection of an SQL Statement (or anything interpreted by SQL) into a string, sometimes an object that is passed to a DBMS to execute. This is usually possible because the string that is passed to the DBMS contains user input which is not properly validated. User input is usually expected to be short strings, however one or more of these inputs is used to escape out of an SQL statement by an attacker and add addition SQL code. Part of the attacker string might include something to end the statement or comment out the rest.

What Programming Languages are Vulnerable?Vulnerable Languages: C/C++, VB, C#, ASP.NET, PHP, Java, JSP, Perl, Python, Ruby and more. However most of these languages provide something to the programmer to allow them to securely put together an SQL statement. Below is a Java code example of some code that is vulnerable to SQL Injection: String SQLSTMT = SELECT * FROM EMPLOYEES WHERE LAST_NAME = + _lastName.getText(); Statement stmt = con.createStatement(); //con being a database Connection object. stmt.executeUpdate(SQLSTMT);

The user input into _lastName is the point of Injection.

This vulnerability is very noticeable for the following reasons: 1. It is clear that is the user input that makes up part of the SQL statement is not validated. 2. The SQL statement itself is not validated before being passed for execution by the database, although I would imagine #1 would be implemented rather than this. 3. The string that contains the SQL statement is made by simply concatenating strings, rather than using something safer such as PreparedStatements to put together an SQL statement. Below is a Java code example using a PreparedStatement that is not vulnerable to Injection. PreparedStatement SQLSTMT = con.prepareStatement("SELECT * FROM EMPLOYEES WHERE LAST_NAME = ?"); SQLSTMT.setString(1, _lastName.getText()); SQLSTMT.executeUpdate(); Prepared statements are used in Java to safely put together SQL statements. Information: http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html

Example: SQL Injection ExploitationSoftware: ViArt Shop


oracle plsql training | oracle online training | oracle plsql demo | oracle plsql course

oracle plsql training | oracle online training | oracle plsql demo | oracle plsql course

Education
Unwrapping Oracle PLSQL - Macrotone Consulting Homemacrotoneconsulting.co.uk/images/Documents/unwrap.pdf · Macrotone Consulting Ltd Unwrapping PLSQL unwrap Unwrapping Oracle PLSQL

Unwrapping Oracle PLSQL - Macrotone Consulting Homemacrotoneconsulting.co.uk/images/Documents/unwrap.pdf · Macrotone Consulting Ltd Unwrapping PLSQL unwrap Unwrapping Oracle PLSQL

Documents
plsql midterm2

plsql midterm2

Documents
PLSQL Standards Developed for the PLSQL Starter Framework-1.pdf

PLSQL Standards Developed for the PLSQL Starter Framework-1.pdf

Documents
PLSQL Tutorial

PLSQL Tutorial

Documents
Plsql overview

Plsql overview

Documents
Plsql commons

Plsql commons

Technology
PLSQL Reference

PLSQL Reference

Documents
plsql tutorialhub

plsql tutorialhub

Education
plsql _final2

plsql _final2

Documents
Oracle Plsql

Oracle Plsql

Documents
Plsql Samp

Plsql Samp

Documents
PLSQL Advanced

PLSQL Advanced

Data & Analytics
Plsql Mid2

Plsql Mid2

Documents
oracle plsql | oracle plsql training | oracle sql and pl sql

oracle plsql | oracle plsql training | oracle sql and pl sql

Education
PLSQL Cursors

PLSQL Cursors

Technology
Dicas Plsql

Dicas Plsql

Documents
Plsql Guide

Plsql Guide

Documents
Advanced Plsql

Advanced Plsql

Documents
PLSQL_sPLSQL_s01_l03 Creating PLSQL Blocks.pdf01_l03 Creating PLSQL Blocks

PLSQL_sPLSQL_s01_l03 Creating PLSQL Blocks.pdf01_l03 Creating PLSQL Blocks

Documents
PLSQL for Beginners - hosteddocs.ittoolbox.comhosteddocs.ittoolbox.com/PLSQL+for+Beginners.pdf · Title: Microsoft Word - PLSQL for Beginners.doc Author: Administrator Created Date:

PLSQL for Beginners - hosteddocs.ittoolbox.comhosteddocs.ittoolbox.com/PLSQL+for+Beginners.pdf · Title: Microsoft Word - PLSQL for Beginners.doc Author: Administrator Created Date:

Documents
plsql Les09

plsql Les09

Education
Plsql Queries

Plsql Queries

Documents
Accenture Plsql

Accenture Plsql

Documents
How to Write Injection Proof Plsql 1 129572

How to Write Injection Proof Plsql 1 129572

Documents
Plsql Apps

Plsql Apps

Documents
Plsql les04

Plsql les04

Education
PLSQL plsql Complete

PLSQL plsql Complete

Documents
PLSQL Questions

PLSQL Questions

Documents
Documentation PLSQL

Documentation PLSQL

Documents