Re: [sqlmap-users] Oracle PL/SQL Stacked Queries Question
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] Oracle PL/SQL Stacked Queries Question
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-10-04 11:27:48
|
Hi Chris, On 3 October 2012 21:33, Chris Oakley <chr...@gm...> wrote: > Hi All > > When I get an injection for an Oracle system on the back end, I can use > --sql-shell with no problems. However, if I try to use stacked queries > here, I get an error message from SQLMap saying that I can't do that unless > stacked queries are enabled, which as far as I know you can't do with > Oracle, so that makes sense. Web application programming languages like PHP, ASP, ASP.NET and JSP have obviously functions to query Oracle (or rely on ODBC/JDBC or similar drivers). Regardless, they do not interpret and stack up separate queries sequentially when semi-colon (;) is provided hence stacked queries SQL injection by default won't work. However, when the SQL injection is within a Oracle function and PL/SQL code is allowed, you can stack queries sequentially. We have an open ticket to deal with this, https://github.com/sqlmapproject/sqlmap/issues/16 > However, I've been reading and it seems (I could be wrong here, still > playing) that from 8i to 11g R2 there are packages which allow execution of > anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and > dbms_xmlquery.getxml(). These are accessible to public by default. So an > injection might be ?id=1 and (select dbms_xmlquery.newcontext('various; > stacked; queries;') from dual) is not null -- I've looked at SQLMaps > queries through a proxy and I don't think it does anything like this. > Again, I'm just reading up on this now so I could well be off base here. Correct. There're a few tricks as far as I am aware to stack queries in Oracle. This is one of those. sqlmap does not implement yet any of these. > Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing > around manually at the moment but wondered if this is something SQLMap could > potentially do and doesn't (or I'm totally wrong!) Depending on the Oracle release and its version, you can leverage different PL/SQL injection in default functions/triggers to escalate your privileges to DBA. Metasploit has auxiliary modules for a number of these vulnerabilities, see here https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle. Look at the source code and forge your SQLi payload accordingly. We have an open ticket to automate DBA privilege escalation on Oracle, https://github.com/sqlmapproject/sqlmap/issues/29. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
