Advanced SQL Injection in Oracle databases

Author: Esteban Martínez Fayó
Contact: secemf@gmail.com
Publish date: February 2005

New Updated Material: In July 2005 a new version of this paper was presented at the Black Hat 2005 security conference in Las Vegas, USA. Click here to view the updated material.

This presentation is about new ways to exploit SQL Injection vulnerabilities in Oracle Databases. It shows, with working examples, many ways in that the Oracle database security could be bypassed and how to protect from these threats.

Topics:

  • Introduction
  • SQL Injection attacks
    • How to exploit
    • Exploit examples
    • SQL Injection in functions defined with AUTHID CURRENT_USER
    • How to get around the need for CREATE PROCEDURE privilege - Example
    • How to protect
  • Buffer overflow attacks
    • How to exploit
    • Exploit examples
    • Detecting an attack
  • Remote attacks using SQL Injection in a web application
    • Exploit examples
    • Web application worms
    • How to protect
  • Summary
  • Conclusions

The presentation includes many proof of concept exploit examples of these topics.

Download:

AdvancedSQLInjectionInOracleDatabases.zip (354 KB)

The zip file includes the presentation (in PDF format) and the example files.

Individual file download:

UPDATED July 2005


Download:

AdvancedSQLInjectionInOracleDatabases_BH.zip (116 KB)

The zip file includes the presentation (in PDF format) and the example files.

Individual file download:

 

All trademarks are the property of their respective owners
Please contact secemf@gmail.com for feedback or problems
Last Modified on 2005-09-19