This blog has moved here.

Wednesday, May 26, 2010

SqlPlus Injection

Despite that at the very first sight it might look stupid you may be hacked by a colleague in a very rude way. Suppose one developer asks you to create a new user for an upcoming system. Because he's a nice guy, he also hands you a simple script which creates this user along with all the required grants. Of course, even you like your colleague and appreciate his effort, you carefully inspect that script before running it. Let's see a preview of this script in a plain vim window:


Oookey! The script has nice comments, nothing unusual... You run it in your sqlplus SYS session and... BANG! your SYSTEM user is compromised and you'll even don't know that. If you still have the WTF face, then look again.
The catch is in the last comment. We used to think that in sqlplus a multiline  comment start with an /* (and because sqlplus is quite picky it has to be further followed by a space or CR) and then, everything till the closing */ is taken as a comment. This assumption is wrong because, in sqlplus, a # at the very beginning of a line means "execute the command on that line". In fact, it doesn't have to be # but this is the symbol configured by default for sqlprefix setting. Just check it out:

SQL> show sqlprefix
sqlprefix "#" (hex 23)
However, we are simply fooled by our editor which, with its nice code highlighting feature, just marked our comments accordingly. Of course, it doesn't know anything about the sqlplus "sqlprefix" setting. So, before running any third-party scripts you should carefully look at them, even at comments.

3 comments:

DanyC said...

Fiind Roman am decis sa scriu in limba materna.

Alex, merci ptr acest tip, nu stiam de asa ceva. Multa bafta, Dani

Alexandru Tică said...

Nici o problema DanyC. Ca sa fiu sincer nici eu nu stiam si am descoperit din intamplare. Unul din colegii mei vroia sa creeze in sqlplus un pachet care avea un comment cu # chiar la inceputul liniei si bine-inteles ca primea un mesaj de eroare. Pana la urma stii cum se spune: "omu' cat traieste invata". :) Multa bafta si tie!

Anonymous said...

Genial fill someone in on and this fill someone in on helped me alot in my college assignement. Thank you as your information.