Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges

When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own function because they don’t have the privileges, then their ability to execute arbitrary PL/SQL is severely limited, unless they can find an extant function already on the system that allows them to execute arbitrary PL/SQL. Prior to April 2006 the DBMS_EXPORT_EXTENSION function could be used for this purpose but it has now been fixed. This paper looks at how a low privileged user, that is a user with only the CREATE SESSION system privilege, may exploit a PL/SQL injection flaw to gain DBA privileges by searching for and examining other functions like DBMS_EXPORT_EXTENSION.

Download whitepaper here

Author: David Litchfield

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: