client9/libinjection

SQLMap testing with Oracle failing

Closed this issue · 0 comments

Testing with SQLMap revealed vulnerability with Oracle.

Initially we tested with the old external Java port (https://github.com/jeonglee/Libinjection) against Oracle and the report came out clean. No vulnerabilities detected.

However when tested with the latest main code base v3.9.1 (https://github.com/client9/libinjection) using JNI, SQLMap identified an injection point and stopped.

Please let know if I am missing anything here. Would be happy to provide additional details and test code. We are simply using the parameter to make a back-end oracle JDBC query using
Select * from EMPLOYEES where UPPER(NAME) like '%'" + employeeName.toUpperCase() + "%'";


SQLMap command used for testing:
dev@winpc /cygdrive/c/Users/dev/sql-map/sqlmap-1.1.3
$ python "C:\Users\dev\sql-map\sqlmap-1.1.3\sqlmap.py" --url="http://localhost:8080/was-test-1.2-SNAPSHOT/employee?name=David" --timeout=10 --retries=1 --keep-alive --threads=3 --batch --level=5 --risk=3 --flush-session -p name --keep-alive --tamper="between,randomcase,space2comment" --dbms oracle

Error reported by Sqlmap:
GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1356 HTTP(s) requests:

Parameter: name (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)
Payload: name=David' AND 2259=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(113)||CHR(122)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2259=2259) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND 'XrMo' LIKE 'XrMo