Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

Free Oracle Tips

HTML Text

 Home
 E-mail Us
 Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB   


 

Privacy Policy

Blog

Golf Travel
 

 
 

 

 

How to Find a New PLSQL Injection Vulnerability

Oracle Forensics tips by Paul Wright

The point of PLSQL injection is that a low privileged user can insert SQL into the package which by default runs with the privileges of the schema within which the package was created. Therefore the injected SQL can do things that the schema owner can do. If the schema owner is a DBA and the injector is PUBLIC user then there is a privilege escalation from lowest privilege user to the highest privilege user in the Oracle DB. These vulnerabilities are quite common both in Oracle's code and bespoke code written for a particular customer privately. It is important that Security Officers responsible for Oracle databases understand how to find these vulnerabilities so that they can be secured.

In order to find a new SQL Injection a vulnerability researcher would likely list all the new PLSQL packages in a new release and minus the known packages from previous releases which have been found to be vulnerable.

The packages of most interest are the ones owned by a DBA user such as SYS, SYSTEM, CTXSYS or WKSYS for instance. Taking WKSYS the researcher could run this query below to identify the packages that could give privilege escalation IF they were vulnerable to SQL Injection.

Findprimesqlinjtargets.sql

(((select table_name from dba_tab_privs where grantee='PUBLIC' and owner='WKSYS')
intersect
(select object_name from dba_objects where object_type='PACKAGE' and
owner='WKSYS'))
minus
(SELECT name FROM DBA_SOURCE WHERE TEXT LIKE '%current_user%' AND
owner='WKSYS'));

SQL> (((select table_name from dba_tab_privs where grantee='PUBLIC' and owner='WKSYS')intersect
(select object_name from dba_objects where object_type='PACKAGE' and owner='WKSYS'))minus
(SELECT name FROM DBA_SOURCE WHERE TEXT LIKE '%current_user%' AND owner='WKSYS'));

TABLE_NAME
--------------------------------------------------------------------------------
OUS_ADM
WKDS_ADM
WK_ACL
WK_ADM
WK_CRW
WK_DDL
WK_DEF
WK_ERR
WK_JOB
WK_META
WK_PORTAL

TABLE_NAME
--------------------------------------------------------------------------------
WK_QRY
WK_QUERYAPI
WK_QUERY_ADM
WK_QUTIL
WK_SGP
WK_SNAPSHOT
WK_UTIL

18 rows selected.

Then describe each package within the WKSYS schema to see what parameters the package takes into each procedure and function.

SQL> desc wksys.wk_qry

FUNCTION ESTIMATEHITCOUNT RETURNS NUMBER

 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 P_QUERY                        VARCHAR2                IN     DEFAULT
 P_DSIDS                        NUMBER_ARR              IN     DEFAULT
 P_LANG                         VARCHAR2                IN     DEFAULT
 PROCEDURE GETRESULT

 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 QUERY                          VARCHAR2                IN     DEFAULT
 FILTER                         VARCHAR2                IN     DEFAULT
 TERMS                          VARCHAR2                IN     DEFAULT
 START_POINTER                  NUMBER                  IN     DEFAULT
 REC_REQUESTED                  NUMBER                  IN     DEFAULT
……….

PROCEDURE SETOPTION

 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 KEY                            VARCHAR2                IN
 VAL                            VARCHAR2                IN
 PROCEDURE SETPROPERTY

 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 P_PROPERTY_NAME                VARCHAR2                IN     DEFAULT
 P_PROPERTY_VALUE               VARCHAR2                IN     DEFAULT
 PROCEDURE SETSESSIONLANG

 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 NLS_LANGUAGE                   VARCHAR2                IN

After a list of procedures and functions has been made then it is a case of inserting SQL into the parameters of the most easily completed ones. These parameters are designed to take the input to the program such as strings and numbers. They are not usually designed to take in SQL. If input is not parsed then SQL inserted instead of the expected input may run with definer privileges. The easiest way to test this is to insert a single quote into each of the parameters and see if an error message is returned that shows that the single quote was interpreted as SQL. The key point at this stage is to note that in order to inject a single quote into PLSQL you need to escape the single quote with another single quote.

 

This is an excerpt from the book "Oracle Forensics: Oracle Security Best Practices", by Paul M. Wright, the father of Oracle Forensics.

 

 
 
  
 

 
 
 
 
Oracle performance tuning software
 
 

 

 
 
 
Oracle performance Tuning 10g reference poster
 
 
 
Oracle training in Linux commands
 
Oracle training Excel
 
Oracle training & performance tuning books
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2010 by Burleson Enterprises, Inc.

All rights reserved.

Oracle © is the registered trademark of Oracle Corporation.