[ask] about oracle sql injection and escalation
Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
-- first,i created table users
create table users (name nvarchar2(50),pass nvarchar2(50))
-- then i created procedure with system user
create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
as
begin
insert into users values(u,p);
end;
-- grant execute privilege to oc user
grant execute on adduser to oc
-- login with user oc and create a procedure
create or replace procedure sqli
as
begin
execute immediate 'grant dba to oc';
end;
-- and then,i run system's procedure
declare
begin
system.adduser('admin','admin'' ; execute immediate ''declare begin sqli() end;');
end;
i hope oracle master help me to i can understand and improving my knowledge
Thanks
The best forum for this is probably Forum Home » Java » SQLJ/JDBC
Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum.
Similar Messages
-
A silly question about oracle.sql.timestamp and java.sql.timestamp
Hi,
I'm looking at a method that takes objects of type Object and does stuff if the object is really a java.sql.timestamp. If it is not then an error is flagged. In my case it flags an error when an object of type oracle.sql.timestamp is passed to it. Not really entirely comfortable with java (i'm still learning it), here's my stupid question :- why isn't oracle.sql.timestamp a subclass of java.sql.timestamp? Also in various books it indicates that java.sql.timestamp maps to oracle.sql.timestamp. Does that mean you have to physically do the mapping:
i.e.
java.sql.Timestamp t = new Timestamp( new oracle.sql.Timestamp( CURRENTTIMESTAMP ).timestampValue() );
or is there something else to it.
Thanks.
Harold.The best forum for this is probably Forum Home » Java » SQLJ/JDBC
Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum. -
SQL Injections and XSS - Escaping Special Characters
Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
NigelRecx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators. -
About Oracle SQL Certification Details
Hi All,
I want to Details About Oracle SQL Certification. How many Type and what are there.
Thanks & RegardsYou will get better answers in the [Oracle Certification Forum|http://forums.oracle.com/forums/forum.jspa?forumID=459]
Thanks,
Karthick. -
Oracle.sql.BLOB and oracle.sql.STRUCT
I'm development a application in Java with oracle, to manage media files. When I try to insert into oracle , I have this problem "oracle.sql.BLOB cannot be cast to oracle.sql.STRUCT" , and I don't know what that can be ..
This is my code , please help with that.. If you have a smaple code of java and oracle to insert media , that will be a great help ..
public void loadDataFromStream(OracleConnection con)
try {
Statement s = con.createStatement();
OracleResultSet rs = (OracleResultSet)
s.executeQuery("select * from blobs where id='video2.avi' for update ");
String index = "";
while(rs.next())
index = rs.getString(1);
index+="1";
System.out.println("llego hasta aki");
// el error esta en esta linea de abajo ...
OrdVideo vidObj = (OrdVideo) rs.getCustomDatum(2, OrdVideo.getFactory());
//rs.getBfile(3);///
FileInputStream fStream = new FileInputStream("/home/jova/movie.avi");
vidObj.loadDataFromInputStream(fStream);
vidObj.getDataInFile("/home/jova/movie.avi");
fStream.close();
System.out.println(" getContentLength output : " +
vidObj.getContentLength());
OraclePreparedStatement stmt1 =
(OraclePreparedStatement) con.prepareCall("update blob_col set image = ? where id = " + index);
stmt1.setCustomDatum(1,vidObj);
stmt1.execute();
stmt1.close() ;
index+="1";
System.out.println("OK");
catch(Exception e) {
System.out.println("exception raised " + e);
System.out.println("load data from stream unsuccessful");
}I'm development a application in Java with oracle, to manage media files. When I try to insert into oracle , I have this problem "oracle.sql.BLOB cannot be cast to oracle.sql.STRUCT" , and I don't know what that can be ..
This is my code , please help with that.. If you have a smaple code of java and oracle to insert media , that will be a great help ..
public void loadDataFromStream(OracleConnection con)
try {
Statement s = con.createStatement();
OracleResultSet rs = (OracleResultSet)
s.executeQuery("select * from blobs where id='video2.avi' for update ");
String index = "";
while(rs.next())
index = rs.getString(1);
index+="1";
System.out.println("llego hasta aki");
// el error esta en esta linea de abajo ...
OrdVideo vidObj = (OrdVideo) rs.getCustomDatum(2, OrdVideo.getFactory());
//rs.getBfile(3);///
FileInputStream fStream = new FileInputStream("/home/jova/movie.avi");
vidObj.loadDataFromInputStream(fStream);
vidObj.getDataInFile("/home/jova/movie.avi");
fStream.close();
System.out.println(" getContentLength output : " +
vidObj.getContentLength());
OraclePreparedStatement stmt1 =
(OraclePreparedStatement) con.prepareCall("update blob_col set image = ? where id = " + index);
stmt1.setCustomDatum(1,vidObj);
stmt1.execute();
stmt1.close() ;
index+="1";
System.out.println("OK");
catch(Exception e) {
System.out.println("exception raised " + e);
System.out.println("load data from stream unsuccessful");
} -
XML Validation using java for SQL Injection and script validation
I have an input coming from xml file.
I have to read that input and validate the input against sql injections and scripts.
I require help now how to read this xml data and validate against the above two options.
I am a java developer.
in this context what is marshelling?http://www.ibm.com/developerworks/library/x-javaxmlvalidapi.html?ca=dgr-lnxw07Java-XML-Val
http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/validation/package-summary.html
The following code validates the xml against a xml schema
// define the type of schema - we use W3C:
String schemaLang = "http://www.w3.org/2001/XMLSchema";
SchemaFactory factory = SchemaFactory.newInstance(schemaLang);
Schema schema = factory.newSchema(new StreamSource("sample.xsd"));
Validator validator = schema.newValidator();
// at last perform validation:
validator.validate(new StreamSource("sample.xml"));Message was edited by:
haishai -
SQL Injection and cfqueryparam
I was told to look into <cfqueryparam> to assist in
fighting sql-injection
and it makes perfect sense, up until I thought of a different
scenario...
This tag seems great when you are dealing with numbers or
text that you can
restrict the number of characters, but what if you have a
textarea that
allows for a large amount of text to be entered? I.E. a
search field for
records that uses keywords.
How you stop someone from entering damaging sql into an area
that accepts
this?
Thanks for any education.
Wally Kolcz
MyNextPet.org
Founder / Developer
586.871.4126WebDev wrote:
It works because <cfqueryparam ....> tells the DBMS
that this data is a
value NOT SQL. The DBMS will then never process it as SQL.
When you
write the SQL and Values straight into the code, then the
DBMS does not
know what is what and assumes it all must be SQL.
An Example...
<cfquery ....>
SELECT aField FROM aTable WHERE aField = '#aValue#'
</cfquery>
With this code, ColdFusion process the entire body of the
<cfquery...>
tag into a string and sends that entire string to the DBMS as
SQL. The
DBMS then processes what it was given. If somebody can modify
the
aValue variable to change the SQL string - that is what is
processed.
<cfquery ...>
SELECT aField FROM aTable WHERE aField = <cfqueryParam
value="#aValue#"...>
</cfquery>
With this code ColdFusion process the SQL and the queryParam
as separate
things. It sends the DBMS the SQL with parameters and a list
of values
to be used in those parameters. The DBMS knows the parameters
are not
SQL and will not process it as SQL and if the parameter
contains SQL it
will just be used as a value and not parsed.
FYI... That is how <cfqueryparam...> can improve
performance. By
knowing what parts of the SQL are variables, it can cache the
SQL and
just use different variables when they are passed to the
DBMS.
HTH
Ian -
Oracle SQL*Net and TNS Protocol
I need to get technical documents on Oracle SQL*Net and TNS Proticol, down to the bit-level definition. I have talked to serveral people in Oracle Documentation, Sales and Tech Support, but no one could give me any clue so far. Any one can help me on this?
SQL*Net is installed by default with SQL*Plus and any of the clients (OEM uses the JDBC OCI driver and some native connectivity).
It is likely that the version of the client you have installed is not one that TOAD can work with or it can't find the client (is the Oracle home/bin directory in the path?) -
I am using oracle as database and weblogic 4.5. I have copied the classes12.zip file in lib directory of weblogic. I am getting the error that oracle.sql.* and oracle.jdbc.driver.* not found when i am importing these packages in a jsp file. what i need to do to import oracle driver packages?I put it in the classpath also.
Please Advice!
Thanks in advance
AnuPamaHi Anupama,
First of all I would be surprised if you would not like to use the connection pooling feature of weblogic (in which case you might not be needing the import the classes directly), and would like to open direct connections to your database. Anyways for doing that I would recommend you to check out the readme doc that ships
along with the jdbc oracle (classes12.zip etc). I am giving an excerpt over here:
These are a few simple things that you should do in your JDBC program:
1. Import the necessary JDBC classes in your programs that use JDBC.
For example:
import java.sql.*;
import java.math.*;
2. Register the Oracle driver before before calling other JDBC APIs.
(This is not needed if you are using the JDBC Server-side Internal
Driver because registration is done automatically in the server.)
To register the Oracle driver, make sure the following statement
is executed at least once in your Java session:
DriverManager.registerDriver(
new oracle.jdbc.driver.OracleDriver());
3. Open a connection to the database with the getConnection call.
Different connection URLs should be used for different JDBC
drivers. The following examples demonstrate the different URLs.
For the JDBC OCI8 Driver:
Connection conn = DriverManager.getConnection(
"jdbc:oracle:oci8:@<database>",
"scott", "tiger");
where <database> is either an entry in tnsnames.ora or a SQL*net
name-value pair.
For the JDBC Thin Driver, or Server-side Thin Driver:
Connection conn = DriverManager.getConnection(
"jdbc:oracle:thin:@<database>",
"scott", "tiger");
where <database> is either a string of the form
<host>:<port>:<sid> or a SQL*net name-value pair.
For the JDBC Server-side Internal Driver:
Connection conn = DriverManager.getConnection(
"jdbc:oracle:kprb:");
Note that the trailing ':' character is necessary. When you use
the Server-side Internal Driver, you always connect to the
database you are executing in. You can also do this:
Connection conn
= new oracle.jdbc.driver.OracleDriver().defaultConnection();
Hope this helps,
Thanks,
Anupama wrote:
I am using oracle as database and weblogic 4.5. I have copied the classes12.zip file in lib directory of weblogic. I am getting the error that oracle.sql.* and oracle.jdbc.driver.* not found when i am importing these packages in a jsp file. what i need to do to import oracle driver packages?I put it in the classpath also.
Please Advice!
Thanks in advance
AnuPama--
Apurb Kumar -
I want to buy MacBook pro but I'm wandering for the keyboard could Mac's shop change the keyboard into Arabic keyboard. I want to buy 2 laptops . I have friends in USA and they visited Apple store and they asked about change the keyboard and they said Ok (the Apple store) so, I don't know about Australia store
I'm student and my une (university of New England ) give me 10% discount for each. Thanksalifromarmidale wrote:
I need the keyboard English with Arabic. Thanks
These are user to user technical assistance forums, and nobody here represents Apple or any store. In order to find out whether you can buy something at a particular store, you really need to find some way to contact the store directly. -
I have few questions to ask about the Expert Series and Valet Series
Hello.
I have few questions to ask about the Expert Series and Valet Series.
1. I see there aren't any print server/bridge/access point for these two new series. Do I have to use previous ones? Or the new ones are in planned in near future?
2. Do I "HAVE TO USE CONNECT SOFTWARE"? Can I just use web interface to do every setting that these routers features?
3. Does expert series routers support guest network and parental control?
4. When I look into informations of these router, some router doesn't give information about backward compatible to older standards. Do I have to consider that as they are backward compatible with older standards?
Ok, that's all for now.
If I need to ask more questions I will do that in this thread as replyWith the New Expert or the Valet Series Router, you still can use the Print Server / Bridge and Access Points.
Well with the Expert and Valet Series router, you have an option to User Cisco Connect Software or you can User Web Interface of the Router. But with the Cisco Connect Software you have an Advantage of creating a Guest Account and using Parental Control , which is not available using the Web Interface.
These both the routers are backward compatible and they can connect to your G Series Product. -
Oracle SQL Developer and Errors (Line Number Incorrect)
First, I wanted to state that Oracle SQL Developer 2 is a standout job.
I wanted to report, though, that when Oracle SQL Developer 2 can't compile a block of code or a simple SQL statement has invalid syntax, it does not have an option to accurately go to the line of code in question. GOING TO the erroneous line of code doesn't need to be a feature, but often times the line no. REPORTED by Oracle SQL Developer is incorrect by 50+ lines.
Is this something I could fix on my end? I have five other developers griping about this.
Thank you!I don't know if this is the situation you are talking about, but line numbers for errors in SQL in a SQL Worksheet are not line numbers within the statement but rather line numbers in the worksheet. For example, with the following SQL in the worksheet:
select * from dual;
select * from dual;
select * from dual;
select from dual;Running the "select from dual;" statement (as either statement based on cursor position, selected statement or as script), the error is reported on Line 4, Column 7. As I show line numbers (Tools | Preferences | Code Editor | Line Gutter | Show Line Numbers), this makes sense. Without line numbers showing or having the option to go to the error and with more realistic examples with SQL statements scrolling off the page, I can see that the line number in the errors wouldn't be helpful.
I think -K- is talking about the PL/SQL code editors not reporting the correct line number based on the error line not counting the "create or replace" line at the start of a package (and more for triggers).
theFurryOne -
Oracle sql developer and access db
Hi All,
I have connection to oracle and Access dbs’ on my oracle sql developer.
When i try to create a database link from oracle db to access db i have to add Host Name.
Connection details to access looks like this :
@jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ=C:\ list.mdb;DriverID=22;READONLY=false}
I tried different variants, but it doesn’t work.
Is this possible to create database link to access db, and if yes, what i have to add for a host name and what is the syntaxes for cross table ?
Thank youGood documentation here... http://www.orafaq.com/node/60
TimS -
SQL Injection and variable substitutions
Hello helpful forum, I'm trying to understand what really goes on "behind" the scenes
with the variable substitutions in order to protect from sql injections.
I'm using apex 3.0.0.00.20
The trickiest component seems to be a Report of type "pl/sql returning sql", since
multiple dynamic sql interpretations are done there.
consider the following innocent looking disaster:
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%' || :NAME || '%''';
RETURN l_out;
END;
if NAME is a single quote the report will return:
failed to parse SQL query: ORA-00911: invalid character
which hints to the fact that NAME is not escaped, and you are in fact able to access db functions
as in: '||lower('S')||'
I also tried to put there a function that runs in a autonomous transaction to log its calls, and
I see that it's called five times for each request.
consider now the similar solution (notice the two single quotes):
DECLARE
l_out VARCHAR2(2000);
BEGIN
l_out := 'select * from test_injection t where t.name like ''%'' || :NAME || ''%''';
RETURN l_out;
END;
with this second example nothing of the above is possible.
So my theory (please confirm it or refute it) is that there is a first variable substitution done
at the pl/sql level (and in the second case :NAME is just a string so nothing is substituted).
Then the dynamic sql is executed and it returns the following string:
select * from test_injection t where t.name like '%' || :NAME || '%'
now another substitution is done (at an "APEX" level) and then query is finally executed to return
the rows to the report.
The tricky point seems to be that the first substitution doesn't escape the variable (hence the error
with the single quote), while the second substitution does.
Please let me know if this makes sense and what are the proper guidelines to avoid sql injection with
the different kinds of reports and components (SQL, pl/sql returning sql, processes, ...)
ThanksGiovanni,
You should build report regions like this using the second method so that all bind variables (colon followed by name) appear in the resultant varchar2 variable, l_out in your example, which will then be parsed as the report query. This addresses not only the SQL injection problem but the shared-pool friendliness problem.
Scott -
SQL Injection and Java Regular Expression: How to match words?
Dear friends,
I am handling sql injection attack to our application with java regular expression. I used it to match that if there are malicious characters or key words injected into the parameter value.
The denied characters and key words can be " ' ", " ; ", "insert", "delete" and so on. The expression I write is String pattern_str="('|;|insert|delete)+".
I know it is not correct. It could not be used to only match the whole word insert or delete. Each character in the two words can be matched and it is not what I want. Do you have any idea to only match the whole word?
Thanks,
Ricky
Edited by: Ricky Ru on 28/04/2011 02:29Avoid dynamic sql, avoid string concatenation and use bind variables and the risk is negligible.
Maybe you are looking for
-
Video and audio out of synch after export
Hello guys, I have 5 minutes long video on timeline. 1 audio and 3 video layers. All looks good, but once I export it as QuickTime self contained movie (current settings) to my desktop, video and audio is out of synch. Any ideas what it might be wron
-
"Preserve alpha transparency" with flattening for PDF
For what reason, in Illustrator CS3, is the option for preserving alpha transparency not available in the PDF flattener, but only under the object menu by choosing Flatten Transparency... The reason i'm asking, is because when using some effects and
-
Add_Product.java import java.io.*; import java.net.*; import java.sql.*; import javax.servlet.*; import javax.servlet.http.*; import mysql.daofactory.DaoFactory; import mysql.daoqueryclass.DaoQueryClass; import mysql.daoqueryinterface.DaoQueryInterfa
-
How do I get adobeacrbat to install?
how do I get adobe acrobat to install?
-
Photoshop: Printing: via Mac from printer on Windows 7
Hi all, First off - if you know a better place I should be posting this question, please inform. I'm trying to print from Photoshop onto a printer connected via a windows computer. I've tried everything and am nearly at the point of paying somebody 4