OracleSQL Write File

Context

This article explains how to exploit Oracle SQL Injection to write files on the server. We assume you already understand SQL queries, file system permissions, and the architecture of Oracle databases. By the end of this guide, you will know how to leverage SQL injection vulnerabilities to manipulate files on an Oracle server, potentially escalating privileges.

Theory

Oracle File System Interaction

Oracle databases have the capability to interact with the file system through specific packages. These interactions require the database to have appropriate privileges and directory access to ensure security controls are respected.

UTL_FILE.PUT_LINE Function

The UTL_FILE.PUT_LINE is a PL/SQL package used to write data to files on the server. This function can become a vulnerability if an attacker manages to exploit SQL injection to gain unauthorized access to it. It allows writing arbitrary content to files, provided the right permissions exist.

DBMS_LOB.WRITE Procedure

DBMS_LOB.WRITE is a procedure that enables writing data to Large Objects (LOBs), such as files. Attackers can leverage SQL injection to exploit this procedure, creating and writing to files without intended access controls. This sequence typically involves crafting an SQL injection that can call DBMS_LOB.WRITE.

SQL Injection Exploitation for File Writing

For an attacker to write files via SQL Injection, they must first identify injectable points within the application. This exploitation process requires an existing SQL injection vulnerability and sufficient privileges to execute file writing commands. The steps include discovering vulnerable inputs and crafting the payloads needed to invoke write operations.

Practice

Writing Files with UTL_FILE.PUT_LINE

To write to a file using the UTL_FILE.PUT_LINE function, follow these steps:

  • Inject the following SQL command to write 'content' to 'filename.txt':
SELECT UTL_FILE.PUT_LINE(UTL_FILE.FOPEN('DIRECTORY','filename.txt','w'), 'content');

This SQL command opens a file in a specified directory and writes a given string content. Ensure the target directory has been predefined in Oracle as a valid directory object.

Outcome:
A new file, 'filename.txt', is created on the server with the specified content, given the correct permissions and accessible directory.

Writing Files with DBMS_LOB.WRITE

For writing files with the DBMS_LOB.WRITE procedure, execute the following steps:

  • Inject the following SQL code to write 'content' to a temporary LOB:
DECLARE
    lob_loc BLOB; 
BEGIN 
    DBMS_LOB.CREATETEMPORARY(lob_loc, TRUE); 
    DBMS_LOB.WRITE(lob_loc, LENGTH('content'), 1, 'content'); 
END;

This declaration creates a temporary LOB and writes your content into it. The use of DBMS_LOB.CREATETEMPORARY provides a placeholder for file data until processed further.

Outcome:
A temporary LOB is created on the server containing the specified content. The LOB can represent file data depending on its subsequent use or writing to a disk path.

Tools

  • SQLMap
  • Oracle SQL Developer

These tools assist in executing SQL injection and interacting with Oracle databases, facilitating the exploitation of file manipulation vulnerabilities in an operational manner.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.