Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "10g Release 2 is available for download for Windows"] [Next entry: "Database Vendors Shouldn't Kill the Messenger"]

Esteban Martínez Fayó has a fantastic black hat presentation on SQL Injection



I downloaded Esteban's, Alex's and Cesar's presentations from the Black Hat conference earlier in the week and I just got round to reading Esteban’s presentation titled "Advanced SQL Injection in Oracle Databases". The paper covers SQL injection in definer rights procedures and also current_user procedures. Esteban also talks about how to get around the need to be able to CREATE PROCEDURE to be able to hack with SQL Injection. He also shows how to query the data dictionary to view the exploit code and also the resultant (modified) code inside built-in packages. He also discusses SQL buffer overflows and remote web based attacks. This is a very comprehensive paper and includes excellent examples. In fact I would go as far as saying this is one of the best Oracle security papers (presentations included) I have ever read. Excellent work! - This presentation underlines, if it needed underlining that SQL injection is a real and current threat for Oracle databases and as Esteban points out, he has still a huge number of bugs in built-in packages that he has reported to Oracle that still need to be fixed.