[Previous entry: "10g Release 2 is available for download for Windows"] [Next entry: "Database Vendors Shouldn't Kill the Messenger"]
Esteban Martínez Fayó has a fantastic black hat presentation on SQL Injection
August 5th, 2005 by Pete
Post to del.icio.us
Post to Furl
I downloaded Esteban's, Alex's and Cesar's presentations from the Black Hat conference earlier in the week and I just got round to reading Esteban’s presentation titled "Advanced SQL Injection in Oracle Databases". The paper covers SQL injection in definer rights procedures and also current_user procedures. Esteban also talks about how to get around the need to be able to CREATE PROCEDURE to be able to hack with SQL Injection. He also shows how to query the data dictionary to view the exploit code and also the resultant (modified) code inside built-in packages. He also discusses SQL buffer overflows and remote web based attacks. This is a very comprehensive paper and includes excellent examples. In fact I would go as far as saying this is one of the best Oracle security papers (presentations included) I have ever read. Excellent work! - This presentation underlines, if it needed underlining that SQL injection is a real and current threat for Oracle databases and as Esteban points out, he has still a huge number of bugs in built-in packages that he has reported to Oracle that still need to be fixed.
