Chapter 9  ■ Injecting Code

Oracle

A huge number of security vulnerabilities have been found within the Oracle

database software itself. If you have found an SQL injection vulnerability that

enables you to perform arbitrary queries, then you can typically escalate to

DBA privileges by exploiting one of these vulnerabilities.

Oracle contains many built-in stored procedures that execute with DBA

privileges and have been found to contain SQL injection flaws within the pro-

cedures themselves. One example of such a flaw existed in the default package

SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES

prior to the July

2006 critical patch update. This can be exploited to escalate privileges by

injecting the query 

grant DBA to public

into the vulnerable field: 

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘INDX’,’SCH’,’T

EXTINDEXMETHODS”.ODCIIndexUtilCleanup(:p1); execute immediate ‘’declare

pragma autonomous_transaction; begin execute immediate ‘’‘’grant dba to

public’‘’‘ ; end;’‘; END;--‘,’CTXSYS’,1,‘1’,0) from dual

This type of attack could be delivered via a SQL injection flaw in a web

application by injecting the function into the vulnerable parameter.

Many other types of flaws have affected built-in components of Oracle. One

example is the 

CTXSYS.DRILOAD.VALIDATE_STMT

function. The purpose of this

function is to test that a specified string contains a valid SQL statement. How-

ever, in earlier versions of Oracle, in the course of validating the supplied

statement the function actually executed it! This meant that any user could

execute any statement as DBA, simply by passing it to this function. For exam-

ple:

exec CTXSYS.DRILOAD.VALIDATE_STMT(‘GRANT DBA TO PUBLIC’)

In addition to actual vulnerabilities like these, Oracle also contains a large

amount of default functionality that is accessible by low-privileged users and

can be used to perform undesirable actions, such as initiating network con-

nections or accessing the file system. In addition to the powerful packages

already described for creating out-of-band connections, the package 

UTL_FILE

can be used to read from and write to files on the database server file system.

See  The Oracle Hacker’s Handbook by David Litchfield (Wiley, 2007) for more

detail on escalating privileges within Oracle.

MySQL

Compared to the other databases covered, MySQL contains relatively little

built-in functionality that can be misused by an attacker. One example is the

Download 5,76 Mb.

Do'stlaringiz bilan baham: