logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

Databases
Different databases and APIs have different characteristics which influence the way in which they can be attacked. For our exploits, we are interested in whether the API allows multiple queries in a single call, whether it allows comments, and whether it provides a means to obtain the currently executing query. These question are answered below for the databases we have used.

MySQL
Normally, the MySQL C API does not allow multiple queries in a single call, but starting with version 5, this can be enabled by passing the CLIENT_MULTI_STATEMENTS flag to mysql_real_connect.
The API does allow comments in a query, using the standard comment marker --.

PostgreSQL
Using the libpq API, PostgreSQL allows multiple queries to be specified in a single call. It also allows comments to be specified, using the standard comment marker --.

SQL Server
SQL Server, when accessed through the SQL Distributed Management Objects API, allows both multiple queries and comments in API calls. Comments are started using the standard comment marker --.

Oracle (OCI)
Oracle's OCI API does not allow multiple queries in a single call. It does allow comments in a query, using the standard comment marker --.

Oracle (iSQL*Plus)
Oracle can also be accessed using the SQL*Plus command-line utility. Oracle provides Perl-script that can be used to access this utility through a webserver here. The script Oracle provides only allows predetermined queries to be executed, but we have extended it to allow the query to be specified through the web. Though Oracle does not provide this feature, we expect it to be a realistic scenario, as it allows full access to an Oracle databases tunneled over HTTP, which in many organizations is considered to be 'firewall-friendly'.

The script can be found here.

Using this script, it is possible to specify multiple queries; comments are also allowed using the standard marker --.

SQL*Plus is picky about whitespace in queries. A statement must be terminated using a semicolon, after which there must always be a newline. Some statements, such as CREATE FUNCTION, must be followed by a newline and a line containing just a forward slash (/). This makes writing SQL exploits more complicated, but not impossible. The code CHR(10) can be used to create a newline from SQL.
Previous Technical Architecture of RFID Systems
Up RFID Viruses and Worms
Vulnerabilities Next
Nederlands phonebook Go to the homepage of the faculty of sciences.FEW Go to the homepage of the Vrije Universiteit.VU site map search webmaster
Last modified: Thursday, 02 March 2006 21:24, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.