 Web applications and use Oracle databases. There are of course prerequisites things you're going to have to know a little bit about to be able to get through this presentation and that's going to be hopefully a little bit of our knowledge about how SQL works. I'll show you briefly, but if you know about that, that'll probably help you a lot to figure out what's going on. Also, if any of you guys have done, you know, developed in PHP or JSP or ASP, you know a little bit about how web apps work and how they develop data and how they access databases, that'll probably help you guys a lot. For everyone else, hopefully I'll do a good job and you'll be able to understand. So we're going to start out here, we're going to start out here looking at just what a normal web application looks like. I'm also going to note to everyone here that this was all put together in literally the last like 10 hours. I'd like to thank Phil Brass over there, helped me out a lot and a couple other people. So, you know, this isn't pretty and this isn't what you're likely to see on major corporation, incorporated website or anything, but it will do for demonstration purposes. So everyone's used to seeing stuff like this here. Can you guys get me back there? Cool. Let's say we know some guys, email address and they have a web application set up that I can get their phone number from the website, for instance. Again, this is all using the sample, local presentation data and everything. So it's pretty simple. I enter that and I get back their first name, their last name and their phone number. What SQL injection is going to allow you to do is instead of getting back their first name, last name and phone number, you're going to be able to actually control what information comes back from the database. Thanks. So the first thing we're going to look at here is the ASP source code of what we're going to be seeing because that's going to help us understand it. Normally, of course, you're not going to have access to their source code. But here is what we're looking at. Everyone sees, here's the line we're interested in. Select first name, last name, phone number from employees or email equals and you see this is the value that gets passed up here in the URI part of the request. We control what that part is and because we control what the value of email is, we can change this SQL statement and make it return different information back from the database other than first name, last name and phone number. Now you're going to run into a lot of sites that are going to stop you from doing this in a couple ways. They're not going to allow you to send characters like spaces or single quotes and those are the pages that other than a couple tricks that in certain circumstances can let you get through, which I may show you later if we have time. Those are the pages that are not going to be vulnerable but I don't know if anyone's used this technique before. Probably it's been around a couple years now, but the amount of sites that are vulnerable to this is just enormous. I've seen major communications, corporations, credit card companies, investment banks, all kinds of stuff. So the first thing I'm going to do to show you how we're going to change what's getting back to the server is we're going to throw in a single quote here. Assuming this thing will work. Great. Okay, if the M.R. loves me. Alright. Forget that part. Want to try again, guys? Hope from the audience. There we go. Thank you very much. What we have here is this is an error message that has come back from the database server and it says, quoted string not properly terminated. Let's look at when we send the value for email of single quote, what the database server saw. This is a Oracle SQL plus terminal. It's allowing me normally again you wouldn't have access to this, but for demonstration purposes to show everyone, it's very helpful for my presentation. So instead of all the stuff here for email where it's modifying the source code, we're going to put in that single quote. So now we're going to see what happens here. It got sent this line. Of course, having the three quotes in a row, anyone who's done any programming can tell you that that's not a valid literal value. So it gave you back this error message. Now our goal is to change that instead of using a single quote, put that little injection part to something very useful to be able to manipulate what comes back from the database. So let's go back and let's look at the web applications we have available. Here's another simple one says login. Enter username and password. Let's change instead of using an invalid username and password. Of course, you get invalid login. Let's try quote or one equals single quote one. We're going to use that for both of these. See people laughing about there. Maybe you've seen how many places this actually works on. And of course, as we all know behind each login form, as we all know, exist very sensitive corporate information, this actually happens to be a WorldCom SEC filing. So we're going to go back and we're going to look, we're going to open up and we're going to show you the source of the login. We're going to see exactly what happened that allowed me to just jump right through the login and get to sensitive financial information. Let's look what goes on here. This is basic form stuff. You send the username, you send the password, and let's see what it does with it. This is basic, you know, ASP, ODBC driver stuff. We're connecting to the database, get the values from the URI. Now here's what goes on. Here's how it authenticates. Select username from users where username equals username and password equals password. Now let's see. If that statement fails, for instance, there is no row in the database where username and password match like that, what's going to happen, RS.EOF, if there are no records in the return record set, then your login is invalid. If not, and again this is very simple sample stuff that I put together, you know, in the last couple hours, it's been unbelievable. You get your access granted and you get sensitive financial information. So let's see what happens. When we take the SQL statement here and we plug in the values that the quote, quote, quote thing where username equals quote, and here's where we start changing things. Username equals no or username can equal one equals one. Here's the part where we manipulate it. I want everyone to look real hard at that statement. Where username equals no, there is no username, or where one is equal to one. I don't know if anyone here has ever done any programming, but that statement will always 100% of the time be true. You will get records back from the database and they do the same exact thing with password. And we're going to remove the double quotes there that came from the ASP. Simple note for people who have SQL injected against SQL server, you can do quote, quote equals quote. Oracle for your information does not see that. No equals no will return to no. It will not return true. So you do have to actually use one where you can use A or anything as long as they'll match up. It's going to slap that single quote onto the end for you. Is everyone following me here? Does anyone have any questions at all for? Okay, then we're good. Let's see what comes back here. As you see, we can get the full list of usernames that returns multiple records. So our statement evaluated true. Now that we've got our basic stuff together, we're going to start looking at, and I've shown you the most simple thing, the authentication bypass is the easiest thing you can do. We're going to go back to this script where it returns three columns of specific information from the database and displays them in the web application. Now I'm going to show you a real simple here, how select union query would work using what I have here. Select, let's say, a username that's, you know, just sample information, change, you know, A and A will return two rows. Of course, these are literals, not real records from the database. Select AA from valid table name, where username equals condition. And here's where we start what he's doing called a union. A union is used to put basically two select queries together. It's just a programming device to help programmers return information from two different places in one SQL query. Union, select, and let's try different information. B comma B from, let's say, different tables, a table I happen to know in all Oracle databases, there's a table called dual. The table dual does not contain information. It is a special kind of table. It exists again. It's a programming device that it will always return what's selected from it, one record set of it. So on every Oracle server you ever see, you can guarantee that there's a table called dual. And we'll make, you know, a universally true condition. Yeah. As you can see, where username equals quote, quote, return false, it returned no records. But the union select part returned both. Now, let's say if I were to modify that to where one equals one, we would get both back. Does everyone understand how the union works? It just puts two queries together. It's returning both select BV from dual and select AA from users at the same time. In SQL plus worksheet, no, because Larry Ellison hates everyone. It does everything in Java, which really hates everything. We're going to go back here. Can everyone see that, though? This is the important stuff, what you're doing from a web browser, what you're going to be actually doing when you're running this against the site. So we're going to look here. Union select and here's where you have to start paying attention. Let's try this union select table name from all tables. All tables is another table that occurs in all Oracle databases. It simply contains a list of all the tables that are on the database. It's got the list of everything in there and you can always depend that it's going to be there. Where, and of course, we're going to put our magical little string here that'll make it return records. And I'm going to copy that so I can show you back in PL SQL terminal for those of you who are sitting close enough that you can actually see. I'm sorry. We're going to see what we get back. Query block has incorrect number of result columns. I'll show you why that happens. What we've got here, and I'm really sorry about the font size, but there's nothing you can do, Oracle did not have the foresight to put font size information in the SQL plus worksheet application, is that when you run a union select query, you have to have the same amount of selected columns in select. And you have to have the same amount of columns in the second select in the union part. See if I were to delete the second column, it's going to complain. Well, that's that's complaining about the comma there. But there you go. So what you have to do is you have to look at the legitimate output. We also did that this returns three columns, first name, last name and phone number. So we need three columns here. One, two, and of course, I'm just using the literals here as dummy stir things. In this time, instead of getting back first name, last name and phone number, we have a list of every table in the Oracle database here. Now what we're going to go through is where you're going to look and of course you go through and you find the table names that look interesting. But before we do that, I'm going to show you a couple things that can occur in the SQL syntax that can make this a little confusing. Not all SQL statements are going to look exactly like this. You're going to have some programmers who are going to do little different things. One thing you're going to see is let's get down to the SQL statement. In addition to the single quote, they're putting what you control email also around parentheses. So let's go real simple. I'll show you how to get around that. It's very simple. It's the same concept. Most of you probably caught on by now. You end that right there. Union select all tables. Sorry. Table name a a got a door call and matching from all tables where and you put the parentheses right there so it matches up what it's got at the beginning in the end, just like we showed it to and you get your table back. If you don't have the parentheses in there, Oracle actually, I don't know if any of you are again SQL servers, the most common thing out there SQL server just tells you have a syntax error. Oracle will actually tell you you're missing a parentheses. Now I know just one thing I'm going to point out here SQL injection is not a problem in the database. The problem is it's occurring here in the ASP programmers code that they're not stripping out things like single quotes and they're not limiting the amount of information that can be passed. For instance, this application that I've been showing you are searches for an email address. Does anyone know of anyone who has an email address that is that long? Your common sense for your programmers should be have maximum for email address something like 10 characters do not let comms through, do not let single quotes through, do not let spaces through. So the problem isn't the database server. The problem is the web application programmer. He's not doing what is called input sanitization. Yeah. All of the one string that you showed was the number of APIs in the first lactate and that's the number of APIs in the second state. Yes. I mean, in the second state, if you inject, are there any screens on that? There will and I will get to that later. Another thing you have to do is you have to match the data types of the columns. I'll show you that to you in a minute though. See, we're going to have here. Yeah, you have to do that. So well, Oracle will return you. For instance, Oracle will say, you're missing the right parentheses. And of course, this error message is for the benefit of the application developer and not the end user, the customer. They're telling it to you anyway, because the person who's running the web server and the ODBC server hasn't taken the time to disable error messages. Some web user out there looking at their site on the internet should never be able to see debugging error messages that are coming from your site. And while Oracle tells you missing right parentheses, one thing that it will not do is if you've ever seen a SQL server error message, it gives you parts of the SQL query that will run in the error message. Oracle will never do that. And SQL server it's really easy to pick something like syntax or table name and stuff out of there, because you get them in the error messages on Oracle, you were on your own. Another thing you're going to run into is a like query. Like queries are used in SQL for searching for things. They use wildcards. For instance, this one you're noticed enter as much you know of a generic or employees last name to obtain their phone number. Because I'm sure everyone saw the last time I used sking. Let's say I forgot their first name, but I know that their email address ends in King. And I got look, two employees happened to have the last name King here. Here's what it looks like in code. First part's the same. But at the end, we're email, like, and these percent signs here, they're the same as asterisk. They're basically wildcards. Now the way you get around this and remember, you want to make sure that their SQL query select last first name, last name, phone number from employees, you want to make sure that doesn't return records, you don't want to see them. So what we're going to do here is going to go something that's obviously not going to turn up in their email address database return no records, for instance, Union select all tables did it again, table name. That's right. Where and you have to match what they have. So we're going to use a like here. Where table name got to use a valid table name, like makes or you actually don't have to match. We're going to do it anyway here. I just thought of something. We're like, and remember, at the end of what you put, they are going to throw in percent quote, like, does not occur in DB. That should look good. No, you want I'm sorry, everyone, this one, you want to return wildcard because this is your union select, you want this one to return as many as possible. So you're actually going to leave that blank. And again, you get that back, I'll show you this one. And what happens here is you get because you used a single quote there, you get like percent. And I said, the like is wildcard, you will get full matches will return back. The third thing you're going to say, where's my IE there is, no, that's all we're doing for we have time constraints, I wish I could show everyone everything with inserts, but we're going to move along here. So now we're going to use the most simple one, because it's going to be the easiest for me to get through the presentation. And I think you've all got the concept here. Just to check. Does anyone have any questions as far? Yeah. Yeah, you can. I'm going to go through all the different stuff you can do. So the first name, now that we've got our list of tables, type of now that we've got this list, we're going to look through and see what tables look interesting. Since I happen to design this database myself, I will tell you that there is a very interesting table called users here. We're going to look the next thing you need to do now we've got a table name, right? We need to know before we can do a query on this table, we need to know what the column names are, or else what kind of information are we going to get back? Just like there is an all tables, there is a table called all tab columns. It's got the argument names, column name, and you'll see up here the two season stuff Internet Explorer, when you send through HTTP, it will encode certain things. I'll show that to you. Union select column name. Again, garbage garbage from all was it user columns? I guess I should know this one. I'm asking you guys. All tab columns, which is of course all table columns where, and we specify, and again, all tab columns is another one of those standard Oracle tables. You can look it up in the Oracle reference documentation if you want what the rest of the column names are and stuff. We're table name equal, and here's what we want, we want user. And remember that Oracle is most of the time with the nvarchar data type that most database administrators are going to use. It will be case sensitive, capital user will not be the same table as lowercase user. And of course, we know that our ASP scripts lands an extra single quote on to the end and went on to the beginning. So we've got our syntax matched. And amazingly enough, one sec. Yeah. It's not that. Fill over here got it. This is my savior. And we have to make sure it returns. What was that table name? What am I doing here? From all to what table name equals users, you guys are great. Thank you, everyone. And incredibly difficult to guess column names in the super secret table users are of course, username and password. Now that we know that we're going to run back here. We're going to plug in username password. And it's coming from the table. Users where, of course, we don't need this part anymore. Check that out for a second. We're selecting username password and a from users where one equals one. And as you can see, they have a very strict password policy on the site. And for anyone who thinks things like this are unlikely, I recently did like a pen test on a large communications company. And admin password really was the administrator's username followed by 2002. So now we're going to use that. And we're going to go back to another login page. Now this login page, because it's designed a slightly different way, and I'll show you can't do the quote equals one equals one thing on. What happens in this one is it does the same thing, select a username from users where username is password. But in ASP code, which we can't tamper with, it actually looks on this part to check is the record that are returned back the same as the variable I have for username. So in this one, we're not going to be able to SQL inject or rate through our authorization bypass. Excuse me, authentication bypass. I was waiting for someone to call me on that. So we now but since we SQL injected, and we got the admin's username and to secret password, we can go through and we can still recover sensitive financial information. Now that's the basics about how your select SQL injection is going to work. And now I'm going to go into some Oracle specific things I figured out going through reference manuals and things. Oracle databases are huge and they contain almost all of their configuration information within system tables. There are system tables for all kinds of things. One of the things that they have a table for is, for instance, the password policy. If you can't get out if in the improbable event, and I say improbable because I've done this on many, many sites. And it seems like no one really understands that it's a pretty good idea to hash your passwords instead of state keeping them in clear text. You can get the password policy. In this case, and this by the way is the default configuration, I just want to point out that Oracle by default will let you try to log on as many times as you like and it will not bother you. You can get failed login attempts. Password grace time. And this only will work again. This is for the Oracle log on. This is not for the web application. It may be completely different. If you can get an or the Oracle server by a network, this information is unbelievably useful. If they do have a policy in place, and you have maximum amount of attempts to stuff and really help you design tools that will cut down your brute force time dramatically. Another interesting thing about modern database servers is they basically got their own enormous programming languages built in. They want developers to use nothing but Oracle tools. They want them to buy the dev kits. They want them to do all kinds of stuff. And as a result, they contain some very, very interesting procedures and built in commands as part of their database. One of the interesting things I found in the Oracle is there is a package called UTL-HTDP, the HTTP utility, and it has a method called request. This will allow you in a SQL statement to make an HTTP request to another server and return your result as part of the record set. If anyone can see up here, and it's probably not large enough, what this basically what has happened here is as part of my SQL statement, and I'll show you again on the phone-der page in a minute, it has pulled back an HTTP request and put it in the record set. And I'm also going to point out that there are like tens of thousands of these methods and procedures in Oracle, and there's not a database administrator in the face of the Earth that, you know, remembers to lock all this stuff down. It's simply unbelievable. So we're going to look at this and see how to do that. Union select, UTL-HTDP.request, and in this case, I'm not connecting this box to internet, so I'm just going to do localhost, which I know is, you know, really impressive. Scripts, that's another one. Phone, or let's use login, like I showed you in the bookmark. Login.asp, match your columns from Union select, or so log is doing P. Dual, I told you about the dual table, it doesn't really have anything in it, but it'll make sure you get your result back, where we're going to match the answer that works nicely with what's in the ASP code. Union select, UTL-HTDP.request, 8 from Union, we're having this one. What's that? Sorry, guys. Was it? Is that my relational operator problem? Yeah, thank you for solving all of my relational operator problems made in the back. And we get that. Now, I want everyone to think about the implication from this, of the implications of this. This request is being made from where your Oracle database server is, which is probably, although in some places people really do put the Oracle server on the exact same box as the web server, this is probably behind a firewall, and there's a very good chance you have no other way of getting at this Oracle box. You can make the Oracle box from inside the firewall. You can make requests to internal IP addresses, and you can scan for internet web servers using this thing that you normally would not be able to get through from the internet, which is really great. Another interesting thing about Oracle, in order to show everyone how it integrates great with web services and web applications, Oracle has taken the liberty of when you install the Oracle database, it installs an HTTP server. It's built on top of Apache, it's Oracle application server on the same box as the Oracle server. I just set an Oracle server up on this test box a couple of hours ago, and I can tell you that it is impossible to disable it in the installation. It will not let you uncheck the box, and by default it runs automatically as a service, and it will start it. So be sure you check local host 80 when you get this, because there's a good chance that you're going to have a web server running on the Oracle database server and the administrator doesn't even know it. Other interesting stuff you can get. Union select, the column name is SQL text, and then you have SQL text, there's the second one that, yeah, SQL text from, there's a table called SQL text. These are all the previous SQL queries that have been run against the database. They contain all kinds of interesting information. I didn't even run any of these. I never did this. This is something the system does by itself, and you can go through it all at your leisure through SQL injection. See that? You guys remember all this stuff? All stored in the database. Oracle forgets nothing. Other interesting stuff? Yeah. I apologize. Like I said, I just set this up. This is not on your DEFCON CD-ROMs, this presentation, but we will have it posted. I'll get tangent. He'll put it on the DEFCON.org site and our company's website, www.spidynamics.com. We'll have all this information. You'll have a pretty document, white paper, whatever thing that we can give to suits, and it won't frighten them, and you guys can read and pick out all kinds of interesting table names that I'm using here. You'll be able to have this information. So if you're not writing everything down at the speed of light here, don't worry about it. But since you asked, table name, SQL text, and remember, this is all in your standard Oracle documentation. This is completely in there for anyone who bothers to read it. Column name is SQL text. Other great stuff? Your privileges. Username, granted role from user role privileges. Now, this will give you a couple of interesting things. The first thing it tells you is what your username is. In this case, I have it set up. It uses the username web user. And I see that I have rights to connect, which is an obvious one. Also, interestingly enough, I have DBA privileges. And for anyone who thinks it is unlikely that the Oracle administrators will set up the web application user as DBA, I can tell you for a fact that people do it all the time, because then they don't have to bother setting up like it's privileges and rights and things like that. It'll automatically have access to what it needs, you see. And so will we. So we've automatically got, we've got our privileges. Other interesting stuff? Oracle version info. This table name is called the dollar sign version. And the column name is banner. And it gives you all the information about what it's running. Other great stuff. And this one will take a minute, because it's a very long query. And I'll tell you why it's long. Oracle stores stored procedure information in tables. You can get the source to the Oracle stored procedures by accessing tables. You see it's loading real slow, because it pulls back. You can go through the source code for all the stored procedures on the database. This one's going to take a minute. So we're going to head to another browser where that one loads. Other great stuff? God, the Oracle server's going to be swamped. This is running on like a VMware box and Win2k Pro, so this isn't happening none too quickly. We may just have to wait for this one. I tell you what, I'll do this one later. Oh, there we go. I have here, we're selecting name, line number. And like I said, if you're trying to write this all down, you don't have to worry about it. We'll get this stuff on the net so that everyone can see it. Select name, line, and text from. Table name is all underscore source. And another good nice thing about Oracle is that it has an identifier called Rownum. Rownum is a universal column name. And you can use it to limit the amount of rows that are returned. In fact, I will show you this query and I'll actually inject it myself so that you can make sure you're getting all this. But just go through this stuff. It's all kinds of unbelievable stuff you can see in the stored procedure source about how the database is set up, what kind of other stuff is. On a really large database, you can have so many user defined table names. If you look through the stored procedure source code, you can usually figure out which ones are interesting and which ones aren't. I'll go back and that is name, tutorial, line, number, all source, union, select, name, text, select, name, which is going to be your procedure name, to char, line, and I will show you how we do that to char in just a minute. Just what I told that guy over there is that you have to do certain type of data type matching on union queries. I probably should have started with that through the beginning. We'll have to go back. To char, line, and of course text from all source, where one equals one. You'll notice that none of the stuff is using like exploits. None of the stuff is underground information or using the SQL injection. This is just stuff that is stored in the Oracle database and yours for the taking if you want it and you know where it is. Of course, as we can see, it would take another half an hour to load, but we're not going to wait. That is how it works. Here is the part about type matching. I don't know why I skipped over it, but I'm going to take a minute. I'll open it up over the ASP and I'll show you what's happening. One part of the union query, select, and I'll do this with literals and numbers to make it real simple. From dual, remember I just told you guys again, the dual table, it's not a real table, just return back what you give it, in this case it will return a and one, where one equals one. Union select. Now watch this. Let's say we have A and A from dual for one equals one. Oracle does not like this. I'll show you what's happening. Expression must have some data type as corresponding expression. Not only do you have to have one two columns here and one two columns here, the types have to match. If they don't match you're in trouble. So what you have to do is once you know how many columns there are, what you're going to want to do is if you can start getting errors, you're going to have to start playing with things. Generally people are going to have three different kinds of general data types. Of course nvarchar is different from nvarchar too, but they convert implicitly. But what you're going to have, you're going to try a letter, you're going to try a number, and you're going to try a date. And I'll tell you the easiest way to do dates is not to try to do stuff like this. There is a function called sysdate, and it will hand you back the current date in that record set. In this case, let's say I try sysdate first. Front key would not have been expected. Sysdate may not be a function, just maybe a moment. There you go. It doesn't like sysdate, which by the way case-sensitive, have to have it like that. But let's say we make it one and it gets happy. It gets happy. Real technical here. So I don't have any questions at this point. I've been looking kind of quickly and haphazardly. Anyone want to know anything? Yeah, and that's what we do here in this one, which is still trying to load for some silly reason. Top ten? The loading? This is on like a VMware box with no RAM, so if it's taking a long time we can't do much about it. You see here, line is a number. And in order to get it to return it in the column, yeah, this one just takes a long time. Let's limit this with Ronam. It's less than one, Ronam. Very useful. It still may actually go through and seek all of them and only returnable Ronam is less than one. Anyway, we don't have probably time for this. I don't want to cut into the next speaker's time. We have two char here and we're using this to convert line, which is a number, so we can do our character type matching to that. Other good stuff you can find. This whole thing may be waiting on the queries that may run, whether or not I've cancelled this thing. You can get the name of the operating system user you are running under using this query. There is a function, an oracle, most functions are stuff like two char. Most functions are things like they're going to help you add, divide, multiply, subtract, or put data types together, things like that. There's a very interesting one. Calls, union, it's called syscontext. It returns information about the current session you're in. You give it a table space, which the one you want to use is user end if it's probably the only ones you have permissions to. And you can get interesting stuff. In the second argument, in the syscontext function, for instance, IP address, it will tell you the IP address of the box you're running on. You can select syscontext there. Of course, we have three columns. We're going to use dual. Don't have to bother with going to a real table. Just return back what we want. Syscontext. Missing select keyword. I'm a real genius. You can be both figured it out by now. There we go. And we get back an IP address. Now you're noticing, of course, this is 192.168, which is of course disappointing. I'll tell you two reasons that happening is one reason is, of course, I'm not connected to a LAN. That's really this box's only IP address. The second reason it's happening is because there's certain ways to configure Oracle that it's the only Ethernet adapter that it will recognize as your local one. However, this information is still very, very useful because we can, using our HTTP proxy, we now know what to start scanning for when we, like for instance, we've already determined that we can use utlhgp.request to pull information back. And what you can do is you can set up a script. It'll try 192.168. This is stuff on the internal network. Obviously, you can't get it from the net, but if you can seek one check to an Oracle host, you can get your information back. You can start it, you know, .1.0. You can make that request. See if there's a web server there. If you don't, if you get a null response, there's nothing there. Try two and try three and you can work that way and you can basically turn the Oracle box into an HTTP port scanner. And if there are internet web servers running, they're going to have interesting stuff on them. Yes, sir. Yeah, absolutely. This works pretty standard sequence. One thing I tried, I was disappointed, does not work. I know you cannot do like file colon slash slash and that pissed me off because I was hoping for that. You could pull files with local host. Yeah, what? Your question requires a pretty lengthy answer. I'll get to in a minute. Yours? Yeah, you can do HDPS. It'll do all the negotiations stuff for you. Yeah, generally not. If you can use parentheses, I haven't actually tested on this one, but let's see. He wants to know, let's say that you can get single quotes through the the web service, your question, right? The web applications filtering out single quotes. You want to know if you can use double quotes and stuff like that. Double quotes, I'll tell you, will not work. What you want to look for and I don't have the information in front of me. I'm sorry when I post the information I'll get it to you is like there's a char function, for instance. That's going to be a good bad one. Let's see if we get our character in the first column. No, I don't have SQL syntax information for this in front of me. I'll find out about that though. Yes, Rebecca? The hex code in here and the char function. Your web server, when it gets to the web server, the web server will understand that, but what it will do is it will convert that to the real character before the ASP script gets a hold of it. So the ASP script will see not the hex to escape code. It'll see the real character and if it's told to block single quotes, even if you have some code, it'll still block it. Yes, sir? It does not until 4.0. It does not until 4.0, this man right here says. The other question about is there, do you have XP command shell? Do you have arbitrary command execution? The answer to that is I haven't found a way yet. I'm still working on it. The problem with this is I'm not an Oracle DBA. I'm a web application security guy. So there are all kinds of stuff in Oracle that I've been looking through. One thing I will tell you and that anyone who's done this with SQL server allows is you can use semicolon to do multiple command statements. The Oracle ODBC driver will not let you pass a semicolon. The semicolons will never see the web server and you'll get an error message back. As far as arbitrage, is there a stored procedure to execute OS level commands? I don't think there is. So over here. Okay, what he's saying is that what is the URL there again? Your friend's site. What is the, where can you get the tool? I don't have a net access on this right now. Can you just tell us again? Okay, while he's running up here, I'm going to tell you that my presentation is covering clean things you can do with SQL injections. Just type it up there. People say is that, um, of course there are, you've got buffer overflow exports for Oracle. You've got privilege escalation techniques. My presentation isn't on that stuff. That's database layer security. I'm doing web application stuff to show you what you can do without getting to Oracle specific exploits. If you guys, you know, follow bug track, there's a ton of ways that once you are really putting information in there you can. You can use buffer overflows. You can probably get OS commands executed. But for instance in SQL server, an MS SQL server, they have a procedure called XP command shell that very cleanly and with the server's permission will execute your commands for you. Oracle doesn't have that nice easy functionality to get that done. Yes sir. If you are using stored procedures, I don't have a demo web application for that. Yes. You can, you know, you can inject into stored procedures. Let's say, wait, just a second. Sorry about that. Let's say that they've got, you know, stored procedure, my stored procedure, and they've got what you need to do, you need to match when you're breaking through stored procedures, is you need to match the number of arguments. So, and you have to match it at the end. So let's say they got a stored procedure in the correct syntax, the stored procedure, and I'm just typing it up here, this isn't, you know, this is obviously, this is ASP, this isn't how you would do it. This isn't how it appear on the web server. Great, I'm losing people. Bye guys. Let's say that your correct syntax look like this, all right? Three arguments. And your injection, and let's say you got to control the value of the first argument, right? If your injection string looked like that, union select, and then blah, blah, blah. And that was in there, yeah. This stuff here is no good, because this is what it would look like. Yeah. That's obviously not valid syntax, so what you would have to do is your injection string, you would have to, and it'll do this the same way it'll give you an error message is it'll tell you when you've got the wrong number of columns. You'd have to go A, close the parentheses, send it, see if you get an error message, if not, you keep adding them, and eventually you'd have to go like that, and you'd put that in there, and the database server would end up seeing something that would look like that, and of course at the end you would have to clean it up and have something with three arguments too, but you can do it. Any other questions? Yes, yeah? So you've been out, looked a lot of websites doing assessments, and so do you see a lot of select statements? Do you see a lot of insert statements that would also look like the same? Yeah, insert is vulnerable in the same kind of way, the insert syntax was different, and we have time constraints here. Is there a, how much time do I have left here? All right, yeah, like I said, if I tried to do insert too it requires its own unique set of things to look for, I just didn't have the time to present it here. You can do it with insert. Occasionally you run across the sites that are running really weird looking SQL queries. If you're changing your password it may have like an alter command or something like that. Newly, anything is injectable as long as your web application is not protecting against SQL quotes and stuff like that. Any other questions? Just tighten it up, yeah I guess some people here want to know that. Here is a real simple, I'm about to release, check www.spydynamics.com. SPY is SPI. It's about to be, I have a whole paper written on secure web application and database server interaction which covers what you need to do to tighten up in terms of web application and how to lock down your database server with corrects roles and permissions in case if someone can inject the amount of damage they can do is greatly minimized. So let's look at, let's take folder.asp and let's say see email request, that's where it pulls it off, that's where it pulls your user argument from your UI out. Let's say we did two things here. Replace, what's that? I'm not an ASP programmer and I don't intend to be but this is what I have in front of me when I had to build this. Replace, single quote with let's say this is what PHP does backslash single quote or you can do it with null. It'll kick all of the single quotes out of there. What else do you might want to do? Replace commas. What does an email address need commas in it for? Replace it with a bad character or for instance, nothing. Yeah, yeah the best way to do it is to regex everything else out but I don't even know how to run regex on ASP, it probably doesn't support it. It does? Thank you Phil. Like I said, I'll have all this in a paper proper. It's default and I filtering is always the best way to do things. This is basic stuff you can do real quick. Other stuff you want to do is simply limit the length. You would do that real easy. Email equals left. No, not quote email. Email and I think that's the correct syntax on that ASP programmer. You would limit it to 10 characters. You're not going to be able to do a whole lot in SQL with only 10 characters to clean everything up and get what you want back. So those are your quick steps. Default and I filtering like this guy said he was completely right. I wasn't thinking up here. And limiting length and also data type. If your argument, in this case it's a string but if your argument is a numeric type and someone is trying to pass letters into it, goes with the filtering. Don't let them do that. Other things you want to do is on the database server. It's a really bad idea to let the web application access your database server with you know DBA privileges and stuff. What you want to do is you want to take what all you take all the function of your web application and break it down to roles. Logically break that down into users and default deny and only grant those users the right to execute certain store procedures. It's another thing. Try to stay away from building SQL statements. It's not a great idea. You're much better off using prepared statements and stored procedures. That gets into the database programming which this is a presentation on. Like I said, there'll be a separate paper on this. This is really a demonstration of the tech techniques. Yes sir. This also, I mean pretty easily for a denial of service they just put a really complex query statements. There is all kinds of stuff particularly if you're in DBA you can go to those system tables like all tables or all columns. You can start messing with stuff and their database will probably stop working. Have any other questions? Okay. I think I am done up here then. I apologize again for having this thrown together so quickly. Thank you very much. If you want more info