Anatomy of Oracle web Environment Injection Technology

Source: Internet
Author: User

Oracle is a database that appeared earlier, but its market share is very large, often on some large databases. In addition to supporting a variety of SQL statements, it also provides a variety of packages, stored procedures, and even supports features such as java and library Creation, such powerful functions provide great convenience for Hacking.

Oracle has many default accounts and many stored procedures. These stored procedures are created by the system and many are open to public by default, in the past few years, many oracle vulnerabilities have been published, including overflow and SQL injection.

In this case, the SQL injection vulnerability is particularly serious, because in Oracle, when no other keyword AUTHID CURRENT_USER is added, the created stored procedure runs as the creator at runtime, public has the permission to call these stored procedures. Therefore, once the built-in stored procedures are injected, it is easy for common users to escalate their permissions to the Oracle system.

Oracle itself has many built-in accounts, some of which have the default password and CONNECT permission, so that if the oralce port is not protected by the firewall and can be remotely connected, the system can be remotely logged into the system using the default account, and then the SQL injection vulnerability in the stored procedure in the system will be exploited.

Of course, sid is required to log on to oracle, but this is not difficult. By default, no password is set for tnslintener in oracle. You can use tnscmd. pl uses the services command to identify the sid of the system (to a newer version, this vulnerability has been fixed), which is also a classic method of intrusion into oracle.

Oracle Web Hacking Technical Background

A wide range of oracle system tables. Almost all information in oracle is stored in the system table, including the current database running status, current user information, and current database information, information about databases and tables accessible to users ...... system tables are the core part of the entire database. By properly querying the required system tables, almost all information can be obtained.

Such as sys. v _ $ option contains some information about the current database, such as whether java is supported. all_tables contains all table information, all_tab_colmuns contains all column information, and so on, it provides great convenience for us to obtain information. The following describes how to use a system table to obtain sensitive information.

In oracle's various vulnerabilities, there is no mystery in particular about the injection of stored procedures. stored procedures and functions accept user input and then send them to the database server for parsing and execution, if it is executed in the form of an SQL string, it is easy to confuse data with commands, resulting in SQL injection. However, the nature of injection vulnerabilities varies according to the injection occurrence points.

Oracle uses PL/SQL, and the vulnerability occurs in DML statements such as select, because multi-statement execution is not supported, therefore, if you want TO run your own statements such as grant dba to lovehsell, you must create your own functions or stored procedures. If you do not have the relevant permissions, you can also use cursor injection, use the dbms_ SQL package to repeat the restrictions.

Most of the injections are the limited injections above. You must rely on other packages or cursor you have created to improve the permissions, however, there are still some rare vulnerabilities, but the injection environment is very loose, that is, users' input is injected with anonymous pl/SQL blocks between in and end, injection in this environment can be directly injected into multiple statements without any restrictions. We can see how brilliant this flash vulnerability has brought to our web injection technology.

Well, the attack technologies mentioned above are some of Oracle's attack technologies, but now many environments are open to external web services, and the background database is protected by the firewall, so it cannot get too much detailed information about the database, you cannot directly log on to the database to perform operations. In this case, you must consider using web vulnerabilities to attack the background database.

Now let's take a look at how to inject data in the Oracle web environment! Oracle can work well in various web environments, and the effects of various web environments on our injection are not very great. In asp ,. net, jsp does not filter the input parameters, but because. net, jsp language is a strong type language, in the digital injection, even if the SQL statement is not filtered, but may encounter errors when receiving parameters, therefore, injection occurs more on string parameters.

In the php environment, all 'will be escaped as \', and \ 'in the oracle environment will not be escaped (the correct escape in the oracle environment should be ''), however, using 'in our own injection statement will be damaged because it is converted to \', so it cannot be used during injection '. In addition, there are no restrictions in the web environment.

In terms of databases, if a statement is executed in the form of parameters, it cannot be injected unless it is connected using a string (because the string connection method is relatively simple, for some historical reasons, many programmers tend to prefer this method.) string connection methods are also divided into two types. The parameters are between DML statements such as select, update, and insert, the parameter is between the pl/SQL anonymous block. If the web program does not capture errors, we can easily determine the type of the current statement based on the errors, which will be mentioned later. There are few anonymous pl/SQL blocks, but they are not excluded. there is basically no restriction on such injection. You can execute multiple statements to do anything, it is no different from local login.

Basic Idea of Oracle Web Hacking

The following describes how to determine the target, and how to determine the injection parameters. The main difference is how to determine that the database belongs to oracle and can easily be determined based on the characteristics of the database. oracle supports -- type annotation, but it is not supported. Multiple statements are executed separately. oracle has many system tables, such as all_tables. By accessing these tables, you can determine whether the tables belong to oracle.

In addition, some functions in oracle can also be used to judge, such as utl_http.request, and small language details can also be used to distinguish systems, such as in oracle | is a connection symbol, but it is not in other databases, so and chr (123) | chr (123) = chr (123) | chr (123), if it can be smoothly executed, it should basically be oracle. In addition, when some scripts encounter database query errors, the error information is not processed, and the real background database will also be leaked, this can be clearly seen.

Then you need to determine the injection point type. In general, the parameter we enter is basically a character type if it is not a number type (the search injection that many others call should actually be attributed to the character type), so there is no need to consider the numeric type, it is easy to add -- Comment Characters to properly close the statement.

If it is a character type, you should consider how to make the entire statement correct, usually adding 'and -- these injection characters to construct your own injection environment. In some complex situations, just as a parameter appears in multiple SQL statements and logic, you must carefully construct injection statements that meet the environment. Remember, we only need a good environment to facilitate the insertion of our own SQL commands :)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.