SQL Tunnelling - Exploiting Internal Networks via SQL Injection

26-4-2008

We had a chat with Sid of notsosecure.com about his idea of Exploiting Internal Networks with Oracle UTL_HTTP package. As soon as he mentioned about it I thought a clone of XSSTunnel for this purpose which can tunnel any HTTP traffic through SQL Injections. Just setup your browser to use this local proxy and hang around target system's internal network, fire WebInspect and nikto against it!

There is another potential issue in here where an attacker can bypass some restrictions by abusing the trust relations and this can lead interesting vulnerabilities. For example accessing local host  in the ORACLE server can lead you an interface where you can manage stuff without a password. Nico talked about a similar issue in his Having fun with PostgreSQL paper or accessing /trace.axd in a local web application to see trace information of website even though it configured to see this information for local users only.

Nowadays I'm bloody lazy, so I'm not planning to write such a tool (at least for the next couple of months), but it'd be nice if someone build it so we can play with it...

Recent Blog Posts

See all of the blog posts