When exploiting PL/SQL injection flaws in SELECT/UPDATE/INSERT/DELETE statements it has long been known that if an attacker can create their own function, and inject this, then it is possible for them to execute arbitrary PL/SQL code – for example EXECUTE IMMEDIATE ‘GRANT DBA TO PUBLIC’. Of course, if the attacker can’t create their own function because they don’t have the privileges, then their ability to execute arbitrary PL/SQL is severely limited, unless they can find an extant function already on the system that allows them to execute arbitrary PL/SQL. Prior to April 2006 the DBMS_EXPORT_EXTENSION function could be used for this purpose but it has now been fixed. This paper looks at how a low privileged user, that is a user with only the CREATE SESSION system privilege, may exploit a PL/SQL injection flaw to gain DBA privileges by searching for and examining other functions like DBMS_EXPORT_EXTENSION.
Author: David Litchfield