OS Command Injection in SQL
DBMS allows for the registration of a library to execute external shell commands.
Using untrusted input as part of the shell command may introduce a Command Injection vulnerability.
Vulnerable Examples
PL/SQL
Oracle database supports CREATE LIBRARY
to use shared operating-system libraries that can be leveraged to execute external commands.
In this snippet, the v_untrusted_string
variable could be abused to inject a new shell command.
CREATE OR REPLACE LIBRARY exec_shell AS '/libs/execlib.so';
CREATE OR REPLACE NONEDITIONABLE PROCEDURE "DB"."RUNCMD" (command IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
runcmd('/bin/echo ' || v_untrusted_string);
T-SQL
This option allows system administrators to control whether the xp_cmdshell
extended stored procedure can be executed on a system. By default, the xp_cmdshell
option is disabled on new installations.
In this snippet, the v_untrusted_string
variable could be abused to inject a new shell command.
EXECUTE sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
EXECUTE sp_configure 'xp_cmdshell', 1;
GO
RECONFIGURE;
GO
EXEC xp_cmdshell '/bin/echo ' + ISNULL(@v_untrusted_string, '');
GO
Reference
Mitre - CWE-78: Improper Neutralization of Special Elements used in an OS Command