Difference between revisions of "Oracle Security: SQL Injection"

From Robs_Wiki
Jump to: navigation, search
(How does SQL Injection take place?)
(How does SQL Injection take place?)
Line 4: Line 4:
 
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br />
 
SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.<br /><br />
 
== How does SQL Injection take place? ==
 
== How does SQL Injection take place? ==
Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passages below are examples of code that is vulnarable for SQL Injection:
+
Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passage below is an example of code that is vulnarable for SQL Injection:
 
<pre>
 
<pre>
Stmt1 CONSTANT VARCHAR2(4000) :=
+
create or replace procedure show_col (p_colname varchar2, p_tablename varchar2) AS
'select email from employees  where email = '''|| p_email|| ''' and last_name = ''' ||p_last_name || '''';
+
type t is varray(200) of varchar2(25);
 +
results t;
 +
stmt CONSTANT VARCHAR2(4000) := 'select '||p_colname|| ' from scott.'||p_tablename;
 +
BEGIN
 +
  dbms_output.put_line('SQL Stmt: '||stmt);
 +
  execute immediate stmt bulk collect into Results;
 +
  for j in 1..Results.Count() loop
 +
      dbms_output.put_line(results(j));
 +
  end loop;
 +
END show_col;
 +
/
 
</pre>
 
</pre>
 +
Let's first run it for it's intented use, as a harmless user:
 
<pre>
 
<pre>
Stmt2 CONSTANT VARCHAR2(4000) := 'select '||p_colname||' from '||p_tablename;
+
set serveroutput on
 +
SQL> execute show_col('ENAME','EMP');
 +
SQL Stmt: select ENAME from scott.EMP
 +
SMITH
 +
ALLEN
 +
WARD
 +
JONES
 +
MARTIN
 +
BLAKE
 +
CLARK
 +
SCOTT
 +
KING
 +
TURNER
 +
ADAMS
 +
JAMES
 +
FORD
 +
MILLER
 +
 
 +
PL/SQL procedure successfully completed.
 
</pre>
 
</pre>

Revision as of 09:46, 28 January 2020

What is SQL Injection ?

SQL injection is a technique to maliciously exploit applications that use client-supplied data in SQL statements. Attackers trick the SQL engine into executing unintended commands by supplying specially crafted string input, thereby gaining unauthorized access to a database in order to view or manipulate restricted data.

How does SQL Injection take place?

Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. The code passage below is an example of code that is vulnarable for SQL Injection:

create or replace procedure show_col (p_colname varchar2, p_tablename varchar2) AS
type t is varray(200) of varchar2(25);
results t;
stmt CONSTANT VARCHAR2(4000) := 'select '||p_colname|| ' from scott.'||p_tablename;
BEGIN
   dbms_output.put_line('SQL Stmt: '||stmt);
   execute immediate stmt bulk collect into Results;
   for j in 1..Results.Count() loop
      dbms_output.put_line(results(j));
   end loop;
END show_col;
/

Let's first run it for it's intented use, as a harmless user:

set serveroutput on
SQL> execute show_col('ENAME','EMP');
SQL Stmt: select ENAME from scott.EMP
SMITH
ALLEN
WARD
JONES
MARTIN
BLAKE
CLARK
SCOTT
KING
TURNER
ADAMS
JAMES
FORD
MILLER

PL/SQL procedure successfully completed.