Discussion:
[sqlmap-users] Oracle PL/SQL Stacked Queries Question
Chris Oakley
2012-10-03 20:33:43 UTC
Permalink
Hi All

When I get an injection for an Oracle system on the back end, I can use
--sql-shell with no problems. However, if I try to use stacked queries
here, I get an error message from SQLMap saying that I can't do that unless
stacked queries are enabled, which as far as I know you can't do with
Oracle, so that makes sense.

However, I've been reading and it seems (I could be wrong here, still
playing) that from 8i to 11g R2 there are packages which allow execution of
anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and
dbms_xmlquery.getxml(). These are accessible to public by default. So an
injection might be ?id=1 and (select dbms_xmlquery.newcontext('various;
stacked; queries;') from dual) is not null -- I've looked at SQLMaps
queries through a proxy and I don't think it does anything like this.
Again, I'm just reading up on this now so I could well be off base here.

Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing
around manually at the moment but wondered if this is something SQLMap
could potentially do and doesn't (or I'm totally wrong!)

Regards

Chris
Bernardo Damele A. G.
2012-10-04 11:27:41 UTC
Permalink
Hi Chris,
Post by Chris Oakley
Hi All
When I get an injection for an Oracle system on the back end, I can use
--sql-shell with no problems. However, if I try to use stacked queries
here, I get an error message from SQLMap saying that I can't do that unless
stacked queries are enabled, which as far as I know you can't do with
Oracle, so that makes sense.
Web application programming languages like PHP, ASP, ASP.NET and JSP
have obviously functions to query Oracle (or rely on ODBC/JDBC or
similar drivers). Regardless, they do not interpret and stack up
separate queries sequentially when semi-colon (;) is provided hence
stacked queries SQL injection by default won't work.
However, when the SQL injection is within a Oracle function and PL/SQL
code is allowed, you can stack queries sequentially. We have an open
ticket to deal with this,
https://github.com/sqlmapproject/sqlmap/issues/16
Post by Chris Oakley
However, I've been reading and it seems (I could be wrong here, still
playing) that from 8i to 11g R2 there are packages which allow execution of
anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and
dbms_xmlquery.getxml(). These are accessible to public by default. So an
injection might be ?id=1 and (select dbms_xmlquery.newcontext('various;
stacked; queries;') from dual) is not null -- I've looked at SQLMaps
queries through a proxy and I don't think it does anything like this.
Again, I'm just reading up on this now so I could well be off base here.
Correct. There're a few tricks as far as I am aware to stack queries
in Oracle. This is one of those. sqlmap does not implement yet any of
these.
Post by Chris Oakley
Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing
around manually at the moment but wondered if this is something SQLMap could
potentially do and doesn't (or I'm totally wrong!)
Depending on the Oracle release and its version, you can leverage
different PL/SQL injection in default functions/triggers to escalate
your privileges to DBA. Metasploit has auxiliary modules for a number
of these vulnerabilities, see here
https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle.
Look at the source code and forge your SQLi payload accordingly.
We have an open ticket to automate DBA privilege escalation on Oracle,
https://github.com/sqlmapproject/sqlmap/issues/29.
--
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
Chris Oakley
2012-10-04 12:27:57 UTC
Permalink
Hi Bernardo

Thanks for a very comprehensive reply.

Your ticket #16 is something I'm going to be doing very soon, I need more
practice with this. I'll check out some of those aux modules too.

The David Litchfield papers linked from one of your tickets is also
interesting reading. The user has the following privs:

SELECT * FROM session_privs; [11]:
[*] CREATE CLUSTER
[*] CREATE INDEXTYPE
[*] CREATE OPERATOR
[*] CREATE PROCEDURE
[*] CREATE SEQUENCE
[*] CREATE SESSION
[*] CREATE SYNONYM
[*] CREATE TABLE
[*] CREATE TRIGGER
[*] CREATE TYPE
[*] UNLIMITED TABLESPACE

So I think something should be possible here.

Regards

Chris
Post by Bernardo Damele A. G.
Hi Chris,
Post by Chris Oakley
Hi All
When I get an injection for an Oracle system on the back end, I can use
--sql-shell with no problems. However, if I try to use stacked queries
here, I get an error message from SQLMap saying that I can't do that
unless
Post by Chris Oakley
stacked queries are enabled, which as far as I know you can't do with
Oracle, so that makes sense.
Web application programming languages like PHP, ASP, ASP.NET and JSP
have obviously functions to query Oracle (or rely on ODBC/JDBC or
similar drivers). Regardless, they do not interpret and stack up
separate queries sequentially when semi-colon (;) is provided hence
stacked queries SQL injection by default won't work.
However, when the SQL injection is within a Oracle function and PL/SQL
code is allowed, you can stack queries sequentially. We have an open
ticket to deal with this,
https://github.com/sqlmapproject/sqlmap/issues/16
Post by Chris Oakley
However, I've been reading and it seems (I could be wrong here, still
playing) that from 8i to 11g R2 there are packages which allow execution
of
Post by Chris Oakley
anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and
dbms_xmlquery.getxml(). These are accessible to public by default. So
an
Post by Chris Oakley
injection might be ?id=1 and (select dbms_xmlquery.newcontext('various;
stacked; queries;') from dual) is not null -- I've looked at SQLMaps
queries through a proxy and I don't think it does anything like this.
Again, I'm just reading up on this now so I could well be off base here.
Correct. There're a few tricks as far as I am aware to stack queries
in Oracle. This is one of those. sqlmap does not implement yet any of
these.
Post by Chris Oakley
Ultimately, I'm trying to use the injection to gain DBA privs. I'm
playing
Post by Chris Oakley
around manually at the moment but wondered if this is something SQLMap
could
Post by Chris Oakley
potentially do and doesn't (or I'm totally wrong!)
Depending on the Oracle release and its version, you can leverage
different PL/SQL injection in default functions/triggers to escalate
your privileges to DBA. Metasploit has auxiliary modules for a number
of these vulnerabilities, see here
https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle
.
Look at the source code and forge your SQLi payload accordingly.
We have an open ticket to automate DBA privilege escalation on Oracle,
https://github.com/sqlmapproject/sqlmap/issues/29.
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
Continue reading on narkive:
Loading...