Presentation Material
Abstract
This talk will focus on exploiting SQL injections in web applications with oracle back-end and will discuss all old/new techniques. The talk will target Oracle 9i,10g and 11g (R1 and R2) It is widely considered that the impact of SQL Injection in web apps with Oracle back-end is limited to extraction of data with the privileges of user mentioned in connection string. Oracle database does not offer hacker friendly functionalities such as openrowset or xpcmdshell for privilege escalation and O.S code execution. Further, as Oracle by design do not support execution of multiple query in single SQL statement, the exploitation is further restricted. The Talk will highlight attack vector to achieve privilege escalation (from Scott to SYS) and O.S code execution, all by exploiting Oracle SQL injections from web applications. Further, as a number of organizations move to compliances like PCI ensuring that the Card data is always stored encrypted with the private key never stored inside the database. The talk will focus on what hackers are doing in the wild to bypass these and to obtain clear text card data when its only stored encrypted or even when its never stored.
AI Generated Summary
The talk focuses on exploitation techniques for SQL injection vulnerabilities in Oracle databases within web application contexts, contrasting with prior research on internal network attacks. It distinguishes between PL/SQL injections, which allow execution of multiple statements and are akin to interactive database access, and standard SQL injections, which are restricted to single statements in Oracle.
Key findings include the identification of specific Oracle functions exploitable via SQL injection for privilege escalation and OS command execution. The function GET_DOMAIN_INDEX_TABLES (fixed in 2006) is highlighted as a classic vector for PL/SQL injection to grant DBA privileges. For OS code execution, two primary paths are detailed: leveraging Java IO permissions via DBMS_JAVA_TEST.FUN_CALL with the AURORA$UTL$WRAPPER class, or using DBA privileges with CREATE_MASTER_PROCESS to schedule jobs via DBMS_SCHEDULER. The speaker notes that commercial tools like Pangolin and Core Impact rely on the older GET_DOMAIN_INDEX_TABLES exploit, while the free tool bsqlBF (presented in a new version) automates exploitation, including uploading and executing Metasploit payloads against Oracle databases.
A significant conceptual contribution is the description of “non-interactive second-order injection,” where attacker-controlled input is stored in the database and later triggers a SQL injection in a privileged admin session, bypassing front-end validation. Practical implications stress that web applications connecting to Oracle with high-privilege accounts or using vulnerable default packages (running with definer’s rights) are critical risk factors. The talk concludes that even unprivileged SQL injections can lead to full system compromise through these chained techniques, and that input sanitization must account for stored data used in privileged administrative workflows.