Difference between revisions of "Oracle Security: SQL Injection"
From Robs_Wiki
Qadmin wiki (talk | contribs) (→How does SQL Injection take place?) |
Qadmin wiki (talk | contribs) (→How does SQL Injection take place?) |
||
| Line 4: | Line 4: | ||
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br /> | SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br /> | ||
== How does SQL Injection take place? == | == How does SQL Injection take place? == | ||
| − | Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code | + | Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passage below is an example of code that is vulnarable for SQL Injection: |
<pre> | <pre> | ||
| − | + | create or replace procedure show_col (p_colname varchar2, p_tablename varchar2) AS | |
| − | 'select | + | type t is varray(200) of varchar2(25); |
| + | results t; | ||
| + | stmt CONSTANT VARCHAR2(4000) := 'select '||p_colname|| ' from scott.'||p_tablename; | ||
| + | BEGIN | ||
| + | dbms_output.put_line('SQL Stmt: '||stmt); | ||
| + | execute immediate stmt bulk collect into Results; | ||
| + | for j in 1..Results.Count() loop | ||
| + | dbms_output.put_line(results(j)); | ||
| + | end loop; | ||
| + | END show_col; | ||
| + | / | ||
</pre> | </pre> | ||
| + | Let's first run it for it's intented use, as a harmless user: | ||
<pre> | <pre> | ||
| − | + | set serveroutput on | |
| + | SQL> execute show_col('ENAME','EMP'); | ||
| + | SQL Stmt: select ENAME from scott.EMP | ||
| + | SMITH | ||
| + | ALLEN | ||
| + | WARD | ||
| + | JONES | ||
| + | MARTIN | ||
| + | BLAKE | ||
| + | CLARK | ||
| + | SCOTT | ||
| + | KING | ||
| + | TURNER | ||
| + | ADAMS | ||
| + | JAMES | ||
| + | FORD | ||
| + | MILLER | ||
| + | |||
| + | PL/SQL procedure successfully completed. | ||
</pre> | </pre> | ||
Revision as of 09:46, 28 January 2020
What is SQL Injection ?
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.
How does SQL Injection take place?
Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passage below is an example of code that is vulnarable for SQL Injection:
create or replace procedure show_col (p_colname varchar2, p_tablename varchar2) AS
type t is varray(200) of varchar2(25);
results t;
stmt CONSTANT VARCHAR2(4000) := 'select '||p_colname|| ' from scott.'||p_tablename;
BEGIN
dbms_output.put_line('SQL Stmt: '||stmt);
execute immediate stmt bulk collect into Results;
for j in 1..Results.Count() loop
dbms_output.put_line(results(j));
end loop;
END show_col;
/
Let's first run it for it's intented use, as a harmless user:
set serveroutput on
SQL> execute show_col('ENAME','EMP');
SQL Stmt: select ENAME from scott.EMP
SMITH
ALLEN
WARD
JONES
MARTIN
BLAKE
CLARK
SCOTT
KING
TURNER
ADAMS
JAMES
FORD
MILLER
PL/SQL procedure successfully completed.
