[PEN-TEST] stacking SQL requests

[Emmanuel Gadaix <emmanuel () RELAYGROUP COM>]

We've seen few examples on the list of "xp_cmdshell" dangers with SQL server.
I'd be interested to find out the equivalent in Oracle.

With SQL*Plus, there is a "host()" command, e.g.:
SQL> host ('id')
uid=501(oracle8i) gid=501(oinstall) groups=501(oinstall),502(dba)

However it doesn't seem to be easy to insert that into existing queries. It
also doesn't work with PL/SQL. For this Oracle recommends to pipe command
to a listening C program that would then exec the call.

Oracle's SQL is vulnerable to query modifiers, e.g. if the query is:
SELECT * FROM table WHERE name = '$field_name'
If $field_name is the user-supplied input coming from the web form, the
user can for example input the following string: hisname' or name='anothername
(note the quotes)
The query then becomes:
SELECT * FROM table WHERE name='hisname' OR name='anothername'
which obviously is not an expected result.

However my attempts at "stacking" commands on Oracle, rather than just
modifying it, are not very successful.
That is, inputs such as: hisname' ; select sysdate from dual --
will result in:
ERROR at line 2:
ORA-00911: invalid character
same with "/" instead of ";" will result in
ERROR at line 2:
ORA-00936: missing expression

Anybody on the list has been playing with this on Oracle? Other databases?



--
Emmanuel Gadaix
The Relay Group
http://relaygroup.com

9A1C A656 5F15 977D 0A1B  5E11 E06F 439C 3C68 7413