SQL Injection Demo

View All Scripts Login to Run Script

Script Name SQL Injection Demo
Description SQL Injection examples of a procedure vulnerable to statement modification and a procedure vulnerable to statement injection.
Area PL/SQL General / PL/SQL Procedures, Functions, Packages
Referenced In Database PL/SQL Language Reference
Contributor Sarah Hirschfeld (Oracle)
Created Monday April 17, 2017

Statement 1

Create a table with secret records.

CREATE TABLE secret_records ( 
  user_name    VARCHAR2(9), 
  service_type VARCHAR2(12), 
  value        VARCHAR2(30), 
  date_created DATE 
)

Table created.

Statement 2

INSERT INTO secret_records ( 
  user_name, service_type, value, date_created 
) 
VALUES ('Andy', 'Waiter', 'Serve dinner at Cafe Pete', SYSDATE)

1 row(s) inserted.

Statement 3

INSERT INTO secret_records ( 
  user_name, service_type, value, date_created 
) 
VALUES ('Chuck', 'Merger', 'Buy company XYZ', SYSDATE)

1 row(s) inserted.

Statement 4

The SELECT statement is vulnerable to modification because it uses concatenation to build WHERE clause.

Procedure Vulnerable to Statement Modification

CREATE OR REPLACE PROCEDURE get_record ( 
  user_name    IN  VARCHAR2, 
  service_type IN  VARCHAR2, 
  rec          OUT VARCHAR2 
) AUTHID DEFINER 
IS 
  query VARCHAR2(4000); 
BEGIN 
  
  query := 'SELECT value FROM secret_records WHERE user_name=''' 
           || user_name  
           || ''' AND service_type='''  
           || service_type  
           || ''''; 
  DBMS_OUTPUT.PUT_LINE('Query: ' || query); 
  EXECUTE IMMEDIATE query INTO rec ; 
  DBMS_OUTPUT.PUT_LINE('Rec: ' || rec ); 
END;

Procedure created.

Statement 5

Demonstrate procedure without SQL injection:

DECLARE 
  record_value VARCHAR2(4000); 
BEGIN 
  get_record('Andy', 'Waiter', record_value); 
END;

Query: SELECT value FROM secret_records WHERE user_name='Andy' AND service_type='Waiter'
Rec: Serve dinner at Cafe Pete

Statement 6

With statement modification, the procedure returns a supposedly secret record.

Example of statement modification:

DECLARE 
  record_value VARCHAR2(4000); 
BEGIN 
  get_record( 
    'Anybody '' OR service_type=''Merger''--',  
    'Anything',  
    record_value); 
END;

Query: SELECT value FROM secret_records WHERE user_name='Anybody ' OR service_type='Merger'--' AND service_type='Anything'
Rec: Buy company XYZ

Statement 7

Create a procedure that is vulnerable to statement injection

Procedure Vulnerable to Statement Injection

CREATE OR REPLACE PROCEDURE p 
  (user_name    IN  VARCHAR2, 
   service_type IN  VARCHAR2) AUTHID DEFINER 
IS 
  block1 VARCHAR2(4000); 
BEGIN 
  block1 :=  
    'BEGIN  
       DBMS_OUTPUT.PUT_LINE(''user_name: ' || user_name || ''');' 
       || 'DBMS_OUTPUT.PUT_LINE(''service_type: ' || service_type || '''); 
     END;'; 
 
  DBMS_OUTPUT.PUT_LINE('Block1: ' || block1); 
 
  EXECUTE IMMEDIATE block1; 
END;

Procedure created.

Statement 8

Demonstrate procedure without SQL injection:

BEGIN 
  p('Andy', 'Waiter'); 
END;

Block1: BEGIN  
       DBMS_OUTPUT.PUT_LINE('user_name: Andy');DBMS_OUTPUT.PUT_LINE('service_type: Waiter'); 
     END;
user_name: Andy
service_type: Waiter

Statement 9

SELECT * FROM secret_records ORDER BY user_name


USER_NAME SERVICE_TYPE VALUE DATE_CREATED
Andy Waiter Serve dinner at Cafe Pete 17-APR-17
Chuck Merger Buy company XYZ 17-APR-17

2 rows selected.

USER_NAME	SERVICE_TYPE	VALUE	DATE_CREATED
Andy	Waiter	Serve dinner at Cafe Pete	17-APR-17
Chuck	Merger	Buy company XYZ	17-APR-17

Statement 10

Example of statement modification:

BEGIN 
  p('Anybody',  
    'Anything''); DELETE FROM secret_records WHERE service_type=INITCAP(''Merger'); 
END;

Block1: BEGIN  
       DBMS_OUTPUT.PUT_LINE('user_name: Anybody');DBMS_OUTPUT.PUT_LINE('service_type: Anything'); DELETE FROM secret_records WHERE service_type=INITCAP('Merger'); 
     END;
user_name: Anybody
service_type: Anything

Statement 11

A record was deleted.

SELECT * FROM secret_records


USER_NAME SERVICE_TYPE VALUE DATE_CREATED
Andy Waiter Serve dinner at Cafe Pete 17-APR-17

USER_NAME	SERVICE_TYPE	VALUE	DATE_CREATED
Andy	Waiter	Serve dinner at Cafe Pete	17-APR-17

Additional Information

Database on OTN SQL and PL/SQL Discussion forums
Oracle Database
Download Oracle Database