本文主要针对使用Oracle作为后端数据库的Web应用程序开发者,介绍了SQL注入攻击的风险和防范措施。尽管Oracle在某些方面提供了更强的保护,但未正确防御的应用程序仍然容易受到攻击,特别是函数基础的SQL注入。通过验证参数或使用绑定变量可以有效防止此类攻击。
January 2004
Table of Contents
1. Introduction
Summary
SQL Injection Overview
SQL Injection: Oracle versus Other Databases
Application Development
2. SQL Injection
Introduction
Categories of SQL Injection Attacks
What’s Vulnerable
What’s Not Vulnerable
3. SQL Injection Methods
SQL Manipulation
Code Injection
Function Call Injection
Buffer Overflows
4. PL/SQL
Overview
Execute Immediate Statement
DBMS_SQL Package
Dynamic Cursors
5. JDBC
Overview
PreparedStatement
CallableStatement
6. Protecting against SQL Injection
Bind Variables
Input Validation
Function Security
Error Messages
7. Common Exceptions
Dynamic Table Names and Where Clauses
Like Clauses
Dynamic Procedure and Function Calls
8. Oracle Functions
Determine Function Privileges
Restricting Access to Functions
Standard Functions
Oracle Supplied Functions
Custom Application Functions
9. References
An Introduction to SQL Injection Attacks for Oracle Developers 3
1
Introduction
Summary
Most application developers underestimate the risk of SQL injections attacks against web
applications that use Oracle as the back-end database. Our audits of custom web applications show
many application developers do not fully understand the risk of SQL injection attacks and simple
techniques used to prevent such attacks.
This paper is intended for application developers, database administrators, and application auditors
to highlight the risk of SQL injection attacks and demonstrate why web applications may be
vulnerable. It is not intended to be a tutorial on executing SQL attacks and does not provide
instructions on executing these attacks.
SQL Injection Overview
SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve
information directly from the database. The principles behind a SQL injection are simple and these
types of attacks are easy to execute and master.
We believe web applications using Oracle as a back-end database are more vulnerable to SQL
injection attacks than most application developers think. Our application audits have found many
web applications vulnerable to SQL injection even though well established coding standards were in
place during development of many of these applications. Function-based SQL injection attacks are
of most concern since these attacks do not require knowledge of the application and can be easily
automated.
Fortunately, SQL injection attacks are easy to defend against with simple coding practices. However,
every parameter passed to every dynamic SQL statement must be validated or bind variables must be
used.
SQL Injection: Oracle versus Other Databases
Oracle has generally faired well against SQL injection attacks as there is no multiple SQL statement
support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO
OUTFILE function (MySQL). Also, use of bind variables in Oracle environments for performance
reasons provides strong protection against SQL injection attacks.
An Introduction to SQL Injection Attacks for Oracle Developers 4
Oracle may provide stronger and more inherent protections against SQL injection attacks than other
database, however applications without proper defenses against these types of attacks can be
vulnerable. Despite these advantages many web applications are vulnerable to SQL injection attacks.
Application Development
Applications can be developed using many methods for connecting to an Oracle database – some of
these methods are more vulnerable to SQL Injection attacks than others. This paper will focus on
just a few programming languages and application architectures commonly used for web-based
applications, although, the techniques described in this paper should be relevant for most
programming languages and application architectures.
This paper will focus on applications that use JDBC for connecting to an Oracle database and
PL/SQL as a programming language. We believe these are the two most common programming
methods for applications using Oracle as the database.
An Introduction to SQL Injection Attacks for Oracle Developers 5
2
SQL Injection
Introduction
SQL injection attacks are simple in nature – an attacker passes string input to an application in
hopes manipulating the SQL statement to his or her advantage. The complexity of the attack
involves exploiting a SQL statement that may be unknown to the attacker. Open-source
applications and commercial applications delivered with source code are more vulnerable since an
attacker can find potentially vulnerable statements prior to an attack.
Categories of SQL Injection Attacks
There are four main categories of SQL Injection attacks against Oracle databases –
1. SQL Manipulation
2. Code Injection
3. Function Call Injection
4. Buffer Overflows
The first two categories, SQL manipulation and code injection, should be well known to the reader,
as these are the most commonly described attacks for all types of databases (including SQL Server,
MySQL, ProgressSQL, and Oracle).
SQL manipulation involves modifying the SQL statement through set operations (e.g., UNION) or
altering the WHERE clause to return a different result. Many documented SQL injection attacks
are of this type. The most well known attack is to modify the WHERE clause of the user
authentication statement so the WHERE clause always results in TRUE.
Code injection is when an attacker inserts new SQL statements or database commands into the SQL
statement. The classic code injection attack is to append a SQL Server EXECUTE command to the
vulnerable SQL statement. Code injection only works when multiple SQL statements per database
request are supported. SQL Server and PostgreSQL have this capability and it is sometimes possible
to inject multiple SQL statements with Oracle.
The last two categories are more specific attacks against Oracle databases and are not well known or
documented. In the vast majority of our application audits, we have found applications vulnerable
to these two types of attacks.
Function call injection is the insertion of Oracle database functions or custom functions into a
vulnerable SQL statement. These function calls can be used to make operating system calls or
manipulate data in the database.
SQL injection of buffer overflows is a subset of function call injection. In several commercial and
open-source databases, vulnerabilities exist in a few database functions that may result in a buffer
overflow. Patches are available for most of these vulnerabilities, but many production databases
remain un-patched.
What’s Vulnerable
A web application is vulnerable to SQL injection for only one reason – end user string input is not
properly validated and is passed to a dynamic SQL statement. The string input is usually passed
directly to the SQL statement. However, the user input may be stored in the database and later
passed to a dynamic SQL statement. Because of the stateless nature of many web applications, it is
common to write data to th
最低0.47元/天 解锁文章
扫一扫
578
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
