Example of Simple SQL Injection via Dynamic SELECT

View All Scripts Login to Run Script

Script Name Example of Simple SQL Injection via Dynamic SELECT
Description SQL injection occurs when unexpected text is "injected" into your dynamically-constructed SQL statement, creating a substantial security issue in your application. Remember: injection can only occur when you concatenate chunks of text. So you should bind variables whenever possible, use DBMS_ASSERT to validate names of database objects, and never allow user-entered text to be directly concatenated into a SQL statement.
Area PL/SQL General
Contributor Steven Feuerstein
Created Monday November 02, 2015

Statement 1

The name_sal_for function returns a cursor variable to a data set, using OPEN FOR to concatenate a WHERE clause at run-time (always a good indicator of possible SQL injection vulnerability). The show_name_sal procedure fetches rows identified by name_sal_for, and displays them.

Create a "Driver" for the Demo

CREATE OR REPLACE PACKAGE sql_injection_demo  
IS  
   TYPE name_sal_rt IS RECORD (  
      last_name   hr.employees.last_name%TYPE  
    , salary      hr.employees.salary%TYPE  
   );  
  
   FUNCTION name_sal_for (where_in IN VARCHAR2 DEFAULT NULL)  
      RETURN sys_refcursor;  
  
   PROCEDURE show_name_sal (  
      title_in IN VARCHAR2  
    , rows_inout IN OUT sys_refcursor  
   );  
END sql_injection_demo;

Package created.

Statement 2

While we are demonstrating undesirable behavior, it is still worth nothing how elegant and simple PL/SQL's cursor variable implementation is. I use OPEN FOR to associate a dynamically constructed SQL statement with a cursor. Then in my "show" procedure, I can use all the normal (that is, used with an explicit cursor) syntax to fetch from the cursor variable. Nice!

Cursor Variables Ease the Way

CREATE OR REPLACE PACKAGE BODY sql_injection_demo  
IS  
   FUNCTION name_sal_for (where_in IN VARCHAR2 DEFAULT NULL)  
      RETURN sys_refcursor  
   IS  
      l_query   VARCHAR2 (32767)  
              := 'select last_name, salary from hr.employees WHERE ' || where_in;  
      l_cursor        sys_refcursor;  
   BEGIN  
      OPEN l_cursor FOR l_query;  
  
      RETURN l_cursor;  
   END name_sal_for;  
  
   PROCEDURE show_name_sal (  
      title_in IN VARCHAR2  
    , rows_inout IN OUT sys_refcursor  
   )  
   IS  
      l_employee   name_sal_rt;  
   BEGIN  
      DBMS_OUTPUT.put_line (RPAD ('=', 100, '='));  
      DBMS_OUTPUT.put_line ('SQL Injection Demonstration: ' || title_in);  
  
      LOOP  
         FETCH rows_inout  
          INTO l_employee;  
         EXIT WHEN rows_inout%NOTFOUND;  
  
         DBMS_OUTPUT.put_line (l_employee.last_name || '-'  
                               || l_employee.salary  
                              );  
      END LOOP;  
  
      CLOSE rows_inout;  
   END show_name_sal;  
END sql_injection_demo;

Package Body created.

Statement 3

Since I append an entire WHERE clause onto the end of my "template" SELECT, that leaves me open to allowing a malicious user to add, via UNION, yet another SELECT that might retrieve (for that person) useful information for their next step in attempting to infiltrate or disrupt my database.

Inject a second SELECT

DECLARE  
   l_rows   sys_refcursor;  
BEGIN  
   l_rows := sql_injection_demo.name_sal_for ('department_id = 100');  
   sql_injection_demo.show_name_sal ('Department 100', l_rows);  
   /* 
     A "classic" demonstration involves pulling out the names of users 
     but that doesn't yield anything interesting in the LiveSQL environment, 
     plus ALL_USERS is not accessible.  
 
     So I will "fall back" simply on the USER_OBJECTS table. 
 
   l_rows :=  
      sql_injection_demo.name_sal_for  
                    (   'department_id = 100'  
                     || ' UNION select ''USER: '' || username, 1 from all_users'  
                    );  
   */ 
   l_rows :=  
      sql_injection_demo.name_sal_for  
                    (   'department_id = 100'  
                     || ' UNION select SUBSTR (''Pretend USER: '' || object_name, 1, 25), 1 from user_objects'  
                    );  
   sql_injection_demo.show_name_sal ('Department 100 PLUS Users', l_rows);  
END;

====================================================================================================
SQL Injection Demonstration: Department 100
Greenberg-12008
Faviet-9000
Chen-8200
Sciarra-7700
Urman-7800
Popp-6900
====================================================================================================
SQL Injection Demonstration: Department 100 PLUS Users
Chen-8200
Faviet-9000
Greenberg-12008
Popp-6900
Pretend USER: SQL_INJECTI-1
Pretend USER: V$SQL-1
Pretend USER: V$SQLSTATS-1
Pretend USER: V$SQL_PLAN-1
Sciarra-7700
Urman-7800

Additional Information

Database on OTN SQL and PL/SQL Discussion forums
Oracle Database
Download Oracle Database