Hi Bernardo
Thanks for a very comprehensive reply.
Your ticket #16 is something I'm going to be doing very soon, I need more
practice with this. I'll check out some of those aux modules too.
The David Litchfield papers linked from one of your tickets is also
interesting reading. The user has the following privs:
SELECT * FROM session_privs; [11]:
[*] CREATE CLUSTER
[*] CREATE INDEXTYPE
[*] CREATE OPERATOR
[*] CREATE PROCEDURE
[*] CREATE SEQUENCE
[*] CREATE SESSION
[*] CREATE SYNONYM
[*] CREATE TABLE
[*] CREATE TRIGGER
[*] CREATE TYPE
[*] UNLIMITED TABLESPACE
So I think something should be possible here.
Regards
Chris
On 4 October 2012 12:27, Bernardo Damele A. G. <bernardo.dam...@gmail.com>wrote:
> Hi Chris,
>
> On 3 October 2012 21:33, Chris Oakley <christopher.oak...@gmail.com>
> wrote:
> > Hi All
> >
> > When I get an injection for an Oracle system on the back end, I can use
> > --sql-shell with no problems. However, if I try to use stacked queries
> > here, I get an error message from SQLMap saying that I can't do that
> unless
> > stacked queries are enabled, which as far as I know you can't do with
> > Oracle, so that makes sense.
>
> Web application programming languages like PHP, ASP, ASP.NET and JSP
> have obviously functions to query Oracle (or rely on ODBC/JDBC or
> similar drivers). Regardless, they do not interpret and stack up
> separate queries sequentially when semi-colon (;) is provided hence
> stacked queries SQL injection by default won't work.
> However, when the SQL injection is within a Oracle function and PL/SQL
> code is allowed, you can stack queries sequentially. We have an open
> ticket to deal with this,
> https://github.com/sqlmapproject/sqlmap/issues/16
>
> > However, I've been reading and it seems (I could be wrong here, still
> > playing) that from 8i to 11g R2 there are packages which allow execution
> of
> > anonymous PL/SQL blocks - dbms_xmlquery.newcontext() and
> > dbms_xmlquery.getxml(). These are accessible to public by default. So
> an
> > injection might be ?id=1 and (select dbms_xmlquery.newcontext('various;
> > stacked; queries;') from dual) is not null -- I've looked at SQLMaps
> > queries through a proxy and I don't think it does anything like this.
> > Again, I'm just reading up on this now so I could well be off base here.
>
> Correct. There're a few tricks as far as I am aware to stack queries
> in Oracle. This is one of those. sqlmap does not implement yet any of
> these.
>
> > Ultimately, I'm trying to use the injection to gain DBA privs. I'm
> playing
> > around manually at the moment but wondered if this is something SQLMap
> could
> > potentially do and doesn't (or I'm totally wrong!)
>
> Depending on the Oracle release and its version, you can leverage
> different PL/SQL injection in default functions/triggers to escalate
> your privileges to DBA. Metasploit has auxiliary modules for a number
> of these vulnerabilities, see here
>
> https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/sqli/oracle
> .
> Look at the source code and forge your SQLi payload accordingly.
> We have an open ticket to automate DBA privilege escalation on Oracle,
> https://github.com/sqlmapproject/sqlmap/issues/29.
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
