Link Search Menu Expand Document

OS Command Injection in SQL

Play SecureFlag Play SQL Labs on this vulnerability with SecureFlag!

DBMS allows for the registration of a library to execute external shell commands.

Using untrusted input as part of the shell command may introduce a Command Injection vulnerability.

Vulnerable Examples

PL/SQL

Oracle database supports CREATE LIBRARY to use shared operating-system libraries that can be leveraged to execute external commands.

In this snippet, the v_untrusted_string variable could be abused to inject a new shell command.

CREATE OR REPLACE LIBRARY exec_shell AS '/libs/execlib.so';

CREATE OR REPLACE NONEDITIONABLE PROCEDURE "DB"."RUNCMD" (command IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;

runcmd('/bin/echo ' || v_untrusted_string);

T-SQL

This option allows system administrators to control whether the xp_cmdshell extended stored procedure can be executed on a system. By default, the xp_cmdshell option is disabled on new installations.

In this snippet, the v_untrusted_string variable could be abused to inject a new shell command.

EXECUTE sp_configure 'show advanced options', 1;  
GO  

RECONFIGURE;  
GO  
EXECUTE sp_configure 'xp_cmdshell', 1;  
GO  

RECONFIGURE;  
GO  

EXEC xp_cmdshell '/bin/echo ' + ISNULL(@v_untrusted_string, '');
GO

Reference

Mitre - CWE-78: Improper Neutralization of Special Elements used in an OS Command

OWASP - Command Injection