SQL injection, database vulnerabilities, stored procedure vulnerabilities, computer security
Structured Query Language (SQL) injection is one of the most devastating vulnerabilities to impact a business, as it can lead to the exposure of sensitive information stored in an application’s database. SQL Injection can compromise usernames, passwords, addresses, phone numbers, and credit card details. It is the vulnerability that results when an attacker achieves the ability to influence SQL queries that an application passes to a back-end database. The attacker can often leverage the syntax and capabilities of SQL, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database to compromise the web application. In this article we demonstrate two non-web based SQL Injection attacks one of which can be carried out by executing a stored procedure with escalating privileges. We present the unique way in which Oracle handles single and double quotes in strings because, as shown in this paper, this is one of the features of the language that can be exploited in the construction of an injection attack. Recommendations on how to resolve these vulnerabilities are proposed.
Faculty of Applied Science & Technology
School of Applied Computing
International Journal on Computer Science and Engineering (IJCSE)
Peer Reviewed/Refereed Publication
© 2012 The Authors. Published by International Journal on Computer Science and Engineering. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
Original Publication Citation
Ansari, S., & Sykes, E. R. (2012). SQL Injection in ORACLE: An exploration of vulnerabilities. International Journal on Computer Science and Engineering, 4(4), 522-531. Retrieved from http://www.enggjournals.com/ijcse/doc/IJCSE12-04-04-077.pdf
Ansari, Sid and Sykes, Edward R., "SQL Injection in Oracle: An Exploration of Vulnerabilities" (2012). Faculty Publications and Scholarship. 7.