Hi Chris, On 3 October 2012 21:33, Chris Oakley <christopher.oak...@gmail.com> wrote: > Hi All > > When I get an injection for an Oracle system on the back end, I can use > --sql-shell with no problems. However, if I try to use stacked queries > here, I get an error message from SQLMap saying that I can't do that unless > stacked queries are enabled, which as far as I know you can't do with > Oracle, so that makes sense.
Web application programming languages like PHP, ASP, ASP.NET and JSP have obviously functions to query Oracle (or rely on ODBC/JDBC or similar drivers). Regardless, they do not interpret and stack up separate queries sequentially when semi-colon (;) is provided hence stacked queries SQL injection by default won't work. However, when the SQL injection is within a Oracle function and PL/SQL code is allowed, you can stack queries sequentially. We have an open ticket to deal with this, https://github.com/sqlmapproject/sqlmap/issues/16 > However, I've been reading and it seems (I could be wrong here, still > playing) that from 8i to 11g R2 there are packages which allow execution of > anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and > dbms_xmlquery.getxml(). These are accessible to public by default. So an > injection might be ?id=1 and (select dbms_xmlquery.newcontext('various; > stacked; queries;') from dual) is not null -- I've looked at SQLMaps > queries through a proxy and I don't think it does anything like this. > Again, I'm just reading up on this now so I could well be off base here. Correct. There're a few tricks as far as I am aware to stack queries in Oracle. This is one of those. sqlmap does not implement yet any of these. > Ultimately, I'm trying to use the injection to gain DBA privs. I'm playing > around manually at the moment but wondered if this is something SQLMap could > potentially do and doesn't (or I'm totally wrong!) Depending on the Oracle release and its version, you can leverage different PL/SQL injection in default functions/triggers to escalate your privileges to DBA. Metasploit has auxiliary modules for a number of these vulnerabilities, see here https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle. Look at the source code and forge your SQLi payload accordingly. We have an open ticket to automate DBA privilege escalation on Oracle, https://github.com/sqlmapproject/sqlmap/issues/29. -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
