In this section we discuss PL/SQL Injection, an important attack technique relating to stored procedures in Oracle. Using PL/SQL Injection, attackers can potentially elevate their level of privilege from a low-level PUBLIC account to an account with DBA-level privileges. The technique relates to almost all versions of Oracle, and can be used to attack custom stored procedures as well as those supplied with Oracle itself.
This section examines how to inject into SELECT statements.
Consider the code of this procedure and assume it is owned by SYS and can be executed by PUBLIC:
CREATE OR REPLACE PROCEDURE LIST_LIBRARIES(P_OWNER VARCHAR2) AS TYPE C_TYPE IS REF CURSOR; CV C_TYPE; BUFFER VARCHAR2(200); BEGIN DBMS_OUTPUT.ENABLE(1000000); OPEN CV FOR 'SELECT OBJECT_NAME FROM ALL_OBJECTS WHERE OWNER = ''' || P_OWNER || ''' AND OBJECT_TYPE=''LIBRARY'''; LOOP FETCH CV INTO buffer; DBMS_OUTPUT.PUT_LINE(BUFFER); EXIT WHEN CV%NOTFOUND; END LOOP; CLOSE CV; END; /
This procedure lists all libraries owned by a given user — the user being supplied by the person executing the procedure. The list of libraries is then echoed to the terminal using DBMS_OUTPUT.PUT_LINE. The procedure would be executed as follows:
SET SERVEROUTPUT ON EXEC SYS.LIST_LIBRARIES('SYS');
This procedure is vulnerable to SQL injection. The user executing the procedure can enter a single quote to “break out” from the original code-defined query and insert his ...