Sql injection on Oracle
Good night:
I'm trying to understand the use of oracleparameters in visual basic .net 2008. It is said that its goal is to avoid sql injection but as far as I know Oracle throws an exception every time you use a ;, so I assume it is not possible to inject malicious sql to oracle.
Does anybody knows if it's possible and how to do an sqlinjection to Oracle by means of an ado .net command?.
Thank you
Section Understanding SQL Injection Attacks in Securing a .NET Application on the Oracle Database:http://www.oracle.com/technology/pub/articles/mastering_dotnet_oracle/cook_masteringdotnet.html shows examples in VB .Net.
Similar Messages
-
SQL Injection with Oracle Text
I did a search here for any posts about SQL Injection on Oracle Text indexes, but returned no hits.
Can anyone give their opinion about whether SQL Injection is a concern when using Oracle Text or what steps can be taken ahead of time to prevent (or at least reduce the attack surface) on Oracle Text queries.
We're running a web app. that will use Oracle Text and our users can enter any search string as well as select pre-defined items from a drop down box.
Thanks in advance for any opinions
LJquote:
Originally posted by:
Dan Bracuk
What others can do is more relevent than what we think. When
in doubt, test.
very true, although my final solution went more like, "When
in doubt, manually add about 600 cfqueryparams in 406 cfquery
tags". -
[ask] about oracle sql injection and escalation
Hello,i'm student , i'm studying oracle,now i want to research about oracle sql injection,i had read some tuttorial such as *'Hacking Oracle From Web,Advanced SQL Injection In Oracle Databases,Oracle Hacker HandBook ...'* but when i try to demo on localserver (11.0.1.6) but not run,and this is my demo
-- first,i created table users
create table users (name nvarchar2(50),pass nvarchar2(50))
-- then i created procedure with system user
create or replace procedure system.adduser(u nvarchar2,p nvarchar2)
as
begin
insert into users values(u,p);
end;
-- grant execute privilege to oc user
grant execute on adduser to oc
-- login with user oc and create a procedure
create or replace procedure sqli
as
begin
execute immediate 'grant dba to oc';
end;
-- and then,i run system's procedure
declare
begin
system.adduser('admin','admin'' ; execute immediate ''declare begin sqli() end;');
end;
i hope oracle master help me to i can understand and improving my knowledge
ThanksThe best forum for this is probably Forum Home » Java » SQLJ/JDBC
Presumably you are refering to oracle.sql.TIMESTAMP. While this is intended to (and does) correspond to java.sql.Timestamp it can't be a subclass because it needs to be a subclass of oracle.sql.Datum. -
What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle. -
Hi
As I understand there is no any protection!!! Do view parameters work as parameters in JDBC prepared statement? I looked at examples and it looks they are just replaced with string as parameter value to make new string !!!
AndriusAndrius,
to my knowledge only prepared statements provide you some level of safety and even herte I would recommend caution. The recommended approach for SQL Injection is to filter it either in a Servlet filter (which may be hard to do, but there is a library called mod_security by Ian Ristic that is open source and can be configured for additional security). In addition you can add custom code to the BC code that sets the parameters for the parameterized query to check for SQL injection. This can be done with Regular Expressions:
As an example:
Pattern p = Pattern.compile("(?i)\\bcreate|insert|delete|drop|update\\b");
Matcher m = p.matcher(username);
if (m.find())
// reject the request
Note that the example doesn't check for all possible patterns
Depending on your front end, additional checks can be provided. If e.g. in teh future you build applications with JSF, you could create a RegEx Validator to filter SQL injections.
Oracle ADF V2 comes with a declarative validator on the data binding level that support Regular Expressions defined on the attribute level. This I think should provide you the level of security you will expect.
Frank -
SQL Injection on CallableStatement
I will try to post this all in one line, as the tags are not working today. I know that one should use PreparedStatement over Statement to obviate the thread of a SQL injection attack. Is CallableStatement vulnerable as well? For reference, this would be running against an Oracle RDBMS. Thanks!
- SaishI guess there is no hard-and-fast rule.Well, I guess the hard and fast rule is "only use
bound variables". If you've got a sane database
design then that shouldn't cause you any problems.
Dave.I agree. I was approaching the issue mainly from a security perspective in locking down a legacy system against SQL injection attacks. Using Eclipse, I was able to zero-in on usages of Statement fairly easily. But the more I looked into CallableStatement, the more I realized that I woud have to inspect each invocation manually. (Just in case someone did not bind variables or built a dynamic SQL string).
- Saish -
Hello all-
I've got a server with a huge number of ColdFusion templates
(over 10,000) which I really need to protect agains SQL Injection.
I know that CFQUERYPARAM is the best way to do this. I'd love
to do it that way, but with so many pages, and so many queries it
would take weeks/months to fix the queries, then test to make sure
I didn't screw something up.
So, I've come up with a plan that I wanted to get some input
on.
Currently, I have a page on my server that is included in
almost every page that runs. It is a simple page that I can modify
to change the status of my systems in the event of a database
changeover, or some other sort of failure. (The pages still run,
but no updating is allowed, only reading)
Okay, so on this page which is always included, I was
thinking about analyzing the variables that come over. I was
thinking about looking for things that looked like a SQL injection
attack and blocking the page from running.
I wanted to know if this would work- anyone have ideas? This
would be great because I could protect the entire server in about
an hour. But, I don't want to give myself a false sense of security
if this won't really do the job.First, here are some simple things you can do to protect all
pages before you follow the other advice and plans in this thread:
In CF administrator, click on your datasources and then the
"Advanced" button.
There you will uncheck all but the read and stored procedure
and (possibly) write permissions. "Drop", "Create", etc., are
definite no-nos here.
If you haven't already, make one data source read-permissions
only and refactor your code to use it everywhere except for
carefully segregated updates, inserts and deletes.
Now, in SQL Server itself, remove all permissions from the
users that CF uses except for data_reader and (selectively) data
writer and exec permissions on any procedures or functions you use.
In SQL server, setup at least two CF users. One, should have
only the data_reader permission (plus any read-only stored
procedures).
Find articles, such as this one:
http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
and follow their advice, start with locking down xp_cmdshell.
These measures require little or no CF code changes but will
block all but the most determined and skilled hackers. You still
need to follow Adam's advice though.
BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
injection.
SQL server is not even the most vulnerable anymore (Studies
show that Oracle now has that "honor"). -
Hello, I have found a lot of discussion about the SQL Injection.
Seems like it is very famous issue nowadays.
I am currently doing some findings on the SQL injection and hopefully this thread may give some benefits to everyone.
1. has SQLIA been resolved nowadays?
2. where SQLIA can be launched? is it only from the front-end of the website (eg. login form) or can also attack directly the database? if can, how it can be done? How the type of attack can be determined whether i is launched form the application or anywhere else?
3. Which is better? whether to prevent the SQLIA at the application layer or database layer?
My focus is to prevent the SQLIA in the web application itself for example by using data validation.
That's all for this post. Thank you so much.
Regards, hus..SQL statements that use bind variables are not vulnerable to SQL injection attacks (well, not practically vulnerable). There is a small risk that if the database is unpatched someone might be able to exploit a buffer overflow in some Oracle-delivered function that your query is using but that's not a realistic threat scenario.
There is plenty of documentation available online. For example a Google search on "bind variable" "sql injection" returns as the top result this PDF- An Introduction to SQL Injection Attacks in Oracle which discusses bind variables in some detail. In the top 5 results is this Oracle documentation on avoiding SQL injection in PL/SQL which discusses using bind variables.
Justin -
Hello
I've just installed HTMLDB ver 2 into a new install of 10.2.0.1.0 (taken off OTN)and wanted to have a look at generating reports mentioned in the documentation using SQL Injection. When I click on SQL Injection I get the following message:
"SQL Injection analysis is not supported with your current database release version. It is only available for Oracle release 10.2 or higher"
Do I need to switch something else on for HTMLDB to recognise the version of the database?
Any help greatly appreciated
Regards
PyncPync,
I'm afraid the message is a bit misleading. The packages required from Oracle (in addition to a 10.2 database) have not been distributed yet). See also our release notes on this topic:
http://download-west.oracle.com/docs/cd/B19306_01/relnotes.102/b16374/toc.htm#CCHJAGDJ
Sergio -
SQL Injection analysis report does not work.
I have tried to run the SQL Injection report (Home|Utilities|Object Reports Security|QL Injection but it comes up with the following message.
"SQL Injection analysis is not supported with your current database version. It is only available for Oracle release 10.2 or higher."
I have tried this as both an ordinary user and as system, on both Windows XP and LinuxThis is a bug in the XE Beta. The SQL Injection Analysis will not be accessible for XE production.
Joel -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
SQL Injections and XSS - Escaping Special Characters
Hi, hope someone can help in regards to security and SQL Injections and XSS.
We are using APEX 4.0.2 on Oracle 11.2.0.2.
1. It seems the special characters we have entered into normal 'Text Items' 'Text Areas' etc are not being escaped (ie <,>,&, '). If I enter them into the field (ie Surname) they are saved as is into session state and the database - no escaping. Am I missing something such as an environment setting as I thought the "smart" oracle escaping rules would cater for this.
Surely I don't have to manually do each of then.
Just to confirm, am I looking in the correct places to assess if the characters are escaped or not - ie should they show as '&<>' in session state and/or the database ?
2. Also, for the Oracle procedures such as '‘wwv_flow.accept’ , ‘wwv_flow.show’ , 'wwv_flow_utilities.show_as_popup_calendar' - do these escape special characters. If not, then they must be vulnerable to SQL Injections attacks.
Thx
NigelRecx Ltd wrote:
Just to pitch in, escaping values internally (either in the database or session state) is extremely problematic. Data searches, string comparison, reporting and double escaping are all areas which suffer badly when you do this.
Stripping characters on input can also cause problems if not considered within the context of the application. Names such as "O'Niel", statistical output such as "n < 300", fields containing deliberate HTML markup can be annoying to debug. In certain situations stripping is totally ineffective and may still lead to cross-site scripting.
Apex applications that share the database with other applications will also be affected.
The database should contain 'raw' unfettered data and output should be escaped properly, as Joel said, at render time. Either with Apex attributes or using PLSQL functions such as htf.escape_sc() as and when required.Do not needlessly resurrect old threads. After a couple of months watches expire and the original posters are not alerted to the presence of your follow-up.
Shameless plug: If you are in the game of needing to produce secure Apex code, you should get in touch.This crosses the line into spam: it violates the OTN Terms of Use—see 6(j).
Promotional posts like this are liable to be removed by the moderators. -
This is about a stackoverflow question.
http://stackoverflow.com/questions/1267025/how-to-calculate-value-of-string-in-oracle
I (aka tuinstoel) have provided an answer how to protect against sql injection but I'm not completely sure I'm offering good advice.
My answer on stackoverflow:
http://stackoverflow.com/questions/1267025/how-to-calculate-value-of-string-in-oracle/1268243#1268243
Can anyone say whether my method is sound or provide one or more counterexamples?how about parsing the dynamic SQL and getting an execution plan for it first - and then check that execution plan against a kind of predefined templateIsn't a nice xml output not much easier to parse?
SQL> declare
cl clob;
begin
dbms_lob.createtemporary (
cl,
true
sys.utl_xml.parsequery (
user,
'select e.deptno from emp e where deptno = 10',
cl
dbms_output.put_line (cl);
dbms_lob.freetemporary (cl);
end;
<QUERY>
<SELECT>
<SELECT_LIST>
<SELECT_LIST_ITEM>
<COLUMN_REF>
<SCHEMA>MICHAEL</SCHEMA>
<TABLE>EMP</TABLE>
<TABLE_ALIAS>E</TABLE_ALIAS>
<COLUMN_ALIAS>DEPTNO</COLUMN_ALIAS>
<COLUMN>DEPTNO</COLUMN>
</COLUMN_REF>
<COLUMN_ALIAS>DEPTNO</COLUMN_ALIAS>
</SELECT_LIST_ITEM>
</SELECT_LIST>
</SELECT>
<FROM>
<FROM_ITEM>
<SCHEMA>MICHAEL</SCHEMA>
<TABLE>EMP</TABLE>
<TABLE_ALIAS>E</TABLE_ALIAS>
</FROM_ITEM>
</FROM>
<WHERE>
<EQ>
<COLUMN_REF>
<SCHEMA>MICHAEL</SCHEMA>
<TABLE>EMP</TABLE>
<COLUMN>DEPTNO</COLUMN>
</COLUMN_REF>
<VALUE>10</VALUE>
</EQ>
</WHERE>
</QUERY>
PL/SQL procedure successfully completed.;) -
Web and Database Security - SQL Inject info
Web and Database Security - SQL Injection.
Here is a whitepaper on The Dangers of Dynamic Content (SQL Injection)
http://www.issadvisor.com/viewtopic.php?t=125
SQL Injection. 3 parts. The first part discusses the basics of how to test
web applications for SQL injection vulnerabilities. The second part goes into
the specifics of how to manually identify and test for SQL injection
vulnerabilities. And the third part describes how to exploit SQL injection to
retrieve data from the database.
http://www.issadvisor.com/viewtopic.php?t=123
Understanding this critical security issue, helps web developers that leverage
database must design and make their applications more secure.
Hopefully these two links are informative and useful. Please pass them on.An APEX page can certainly be configured to not require authentication (that's pretty standard for the login/ registration page). There is no need for an "Oracle public password." There are accounts in the Oracle database that APEX uses but that no human needs to know the password for. If that's what you mean by "Oracle public password" then, yes, you do. But that would be the case no matter what authentication and authorization scheme you use in APEX.
A static IP address for your web server is likely a good idea. It's possible to have DNS work with dynamic IP addresses but that's probably not what you want.
Justin -
Preventing sql injection attack
string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
OleDbConnection myConnection9 = new OleDbConnection(objConn9);
string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
myCommand9.Parameters.Add(":username", txtUsername.Text);
myCommand9.Parameters.Add(":password", txtPassword.Text);
myConnection9.Open();
myCommand9.ExecuteNonQuery();
myConnection9.Close();
i'm using this code to try to remove the problem of
users entering a comma or an semi colon and throwing off my query, but its not working...
is there an easy way to insert text values into oracle 8i
that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.netI may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
It is only when concatenating a string together to make a sql statement that injection attacks can occur.
See
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
and search for injection.
Or just go to
http://asktom.oracle.com
and search for "sql injection bind variable" for lots of other references.
Maybe you are looking for
-
Crystal report and SQL 2000 Integration to BW?
HI All, We have following two requirements to be implemented 1) We need crystal reports to be integrated with BW system.Please guide about the prerequisites as well as the procedure to be followed so as to generate Crystal reports once the plugins ar
-
Hi there, I have a problem installing sharepoint designer 2013 which I downloaded . When I try to install the 64 bits installation program it it comes up with a popup that there are 32 bits programs found on my laptop. (Office 15 click-to-run extensi
-
Problem with Variable in Query Designer.
hi all, we have a variable ZAMREG on characteristic AM Region, where AM region is attribute for two different master data objects mastobj1 and mastobj2, we have different infosets build on these two master data objects along with some other ODS. now
-
Check box in ALV - how to remove line selectors?
Hai All, I have to display sales orders in ALV grid. A check box shoud be displayed against each row. So if the user selects few sales orders & click on SAVE the data will be saved in custom table. The problem now is, I used the statement field_cat-E
-
BOM Details in to a Purchase and Sales Documents
Hi How to get BOM Details in to a Purchase and Sales Documents (With COmponentItems Details).