Presentation Material
Abstract
The “turbo” talk will focus on exploiting SQL injections in web applications with oracle back-end. Mostly exploiting Oracle sql injections in web applications is considered to be restricted to extraction of data only. Oracle database does not offer hacker friendly functionalities such as openrowset or xp_cmdshell for privilege escalation and O.S code execution. Further, as web API do not support execution of multiple query in single statement, the exploitation is further restricted. The Talk will highlight attack vector to achieve privilege escalation (from Scott to SYS) and O.S code execution by exploiting Oracle SQL injections in web applications. Further, there will be demo of how a worm could target an Oracle back-end just as it targeted the SQL server applications.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses exploiting Oracle Application Server Express Edition (XE) using SQL injection. They explain how to extract password hashes, I privilege escalation, a DBMS scheduler or PL/SQL native make utility can be used to execute OS code and gain read-write access to files on the backend database.
The speaker then moves on to discuss an Oracle-based SQL injection worm that targets vulnerable applications. The worm updates the web frontend to inject malicious Java scripts, which point to browser exploits, targeting end users. However, the possibilities for exploitation are endless, including executing OS code, hacking the Oracle server itself, and more.
The speaker demonstrates a proof-of-concept worm that achieves similar results to the MS SQL worm. They use a PHP application connecting to an Oracle database server 10g as user “scott” with password “tiger”. The worm escalates privileges, becomes a DBA, and performs a massive update, which changes the frontend to point to a Metasploit browser autopwn module.
The demo shows how the worm injects PL/SQL with sys privileges, performs an update query, and launches a new window pointing to the browser autopwn. The speaker concludes by demonstrating how the worm can be used to hack end users.
Some key takeaways from this content include:
- Oracle Application Server Express Edition (XE) can be exploited using SQL injection
- Privilege escalation can be achieved using DBMS scheduler or PL/SQL native make utility
- An Oracle-based SQL injection worm can target vulnerable applications and execute OS code, hack the Oracle server itself, or target end users
- The demo shows a proof-of-concept worm that achieves similar results to the MS SQL worm.