Penetration Testing mailing list archives
[PEN-TEST] stacking SQL requests
From: Emmanuel Gadaix <emmanuel () RELAYGROUP COM>
Date: Wed, 30 Aug 2000 14:48:54 +0700
We've seen few examples on the list of "xp_cmdshell" dangers with SQL server. I'd be interested to find out the equivalent in Oracle. With SQL*Plus, there is a "host()" command, e.g.: SQL> host ('id') uid=501(oracle8i) gid=501(oinstall) groups=501(oinstall),502(dba) However it doesn't seem to be easy to insert that into existing queries. It also doesn't work with PL/SQL. For this Oracle recommends to pipe command to a listening C program that would then exec the call. Oracle's SQL is vulnerable to query modifiers, e.g. if the query is: SELECT * FROM table WHERE name = '$field_name' If $field_name is the user-supplied input coming from the web form, the user can for example input the following string: hisname' or name='anothername (note the quotes) The query then becomes: SELECT * FROM table WHERE name='hisname' OR name='anothername' which obviously is not an expected result. However my attempts at "stacking" commands on Oracle, rather than just modifying it, are not very successful. That is, inputs such as: hisname' ; select sysdate from dual -- will result in: ERROR at line 2: ORA-00911: invalid character same with "/" instead of ";" will result in ERROR at line 2: ORA-00936: missing expression Anybody on the list has been playing with this on Oracle? Other databases? -- Emmanuel Gadaix The Relay Group http://relaygroup.com 9A1C A656 5F15 977D 0A1B 5E11 E06F 439C 3C68 7413
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)