Attacking Oracle PL/SQL Web Applications
Oracle PL/SQL Gateway Architecture
The Oracle PL/SQL Gateway provides the capability to execute PL/SQL procedures in an Oracle database server via the web. It provides a gateway, a seamless path from the Internet, into a backend Oracle database server over the web. When a user connects with a web browser to a web server running the Oracle PL/SQL Gateway, the Gateway simply proxies the user's request to the database server where it is executed. The Oracle PL/SQL Gateway is built into Oracle Portal, Oracle Application, Server, and the Oracle HTTP Server, as shown in Figure 9-1.
Figure 9-1: The Oracle PL/SQL Gateway
Recognizing the Oracle PL/SQL Gateway
When performing any kind of security assessment, it's important to know what technology you're actually dealing with. To that end, this section briefly examines how to recognize Oracle Portal when you come across it.
PL/SQL Gateway URLs
URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later):
http://server.example.com/pls/xyz
http://server.example.com/xyz/owa
http://server.example.com/xyz/plsql
While the second and third of these examples represent URLs from older versions of the PL/SQL Gateway, the first is from more recent versions running on Apache. In the plsql.conf Apache configuration file, /plsis the default, specified as a Location with the PLS module as the handler. The Location need not be /pls, however. The absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL:
http://server/aaa/bbb/xxxxx.yyyyy
If xxxxx.yyyyy were replaced with something along the lines of "ebank.home," "store.welcome," "auth.login," or "books.search," then there's a fairly strong chance that the PL/SQL Gateway is being used. You can perform a few simple tests to verify this, but before looking at these let's fully explore the URL syntax:
http://server/pls/xyz/pkg.proc
In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the dads.conf Apache configuration file in more recent versions or the wdbsvr.app file in older versions. Some default DADs include the following:
ORASSO
PORTAL
SIMPLEDAD
SSODAD
The pkg in the URL shown above is the name of a PL/SQL package stored in the backend database server, and proc is a procedure exported by the package. The best way to think of a PL/SQL package is as a program that lives in an Oracle database server, with each procedure exposing a bit of functionality that can be called. For example, you could write a Calculator PL/SQL package. The package would be called CALC and it would have procedures call ADD, SUBTRACT, DIVIDE, and MULTIPLY. You could then execute these procedures via the PL/SQL Gateway:
http://server/pls/xyz/calc.add?x1=10&y=20
The source for the CALC package is as follows:
-- CALC PL/SQL Package
-- create the package specification
CREATE OR REPLACE PACKAGE CALC IS
PROCEDURE ADD(X NUMBER, Y NUMBER);
PROCEDURE SUBTRACT(X NUMBER, Y NUMBER);
PROCEDURE DIVIDE(X NUMBER, Y NUMBER);
PROCEDURE MULTIPLY(X NUMBER, Y NUMBER);
END CALC;
/
-- create package's body
CREATE OR REPLACE PACKAGE BODY CALC IS
PROCEDURE ADD(X NUMBER, Y NUMBER) IS
BEGIN
HTP.PRINT(X + Y);
END ADD;
PROCEDURE SUBTRACT(X NUMBER, Y NUMBER) IS
BEGIN
HTP.PRINT(X - Y);
END SUBTRACT;
PROCEDURE DIVIDE(X NUMBER, Y NUMBER) IS
BEGIN
HTP.PRINT(X / Y);
END DIVIDE;
PROCEDURE MULTIPLY(X NUMBER, Y NUMBER) IS
BEGIN
HTP.PRINT(X * Y);
END MULTIPLY;
END CALC;
/
GRANT EXECUTE ON CALC TO PUBLIC;
This brings up an interesting point: With the CALC package possibly existing in any one of many schemas, how does Gateway "know" where to look? The username specified in the DAD usually indicates the schema, but remember from the chapter opener that Gateway is just that: a gateway into the database. If we specify a different schema, we can get access to other packages. Assuming for a moment that SCOTT created the CALC package, we could gain access to it - even if the schema specified in the DAD were FOO:
http://server/pls/xyz/SCOTT.calc.add?x1=10&y=20
This is one of the key weaknesses of the Oracle PL/SQL Gateway.
Oracle Portal
The Oracle Portal application is built upon the Oracle PL/SQL Gateway. If you see a URL similar to
http://server.example.com/portal/page?_pageid=number&_dad=portal&_schema
=PORTAL
then the server is running the Gateway. Converting a Portal URL like the preceding one to a Gateway URL requires you to take the dad parameter and append it to /pls:
http://server.example.com/pls/portal/null
We'll get to null in a minute. Having explained the URL syntax, let's look at some simple ways of confirming whether the PL/SQL Gateway is running.
No comments:
Post a Comment