Database Reference
In-Depth Information
198, Donald, OConnell, DOCONNEL, 650.507.9833, 2007-06-21 00:00:00, SH_CLERK, 2600
(E27811A8C7C9D9F3), null, 124, 50
Oracle success 2)
198, Donald, OConnell, DOCONNEL, 650.507.9833, 21-JUN-07, SH_CLERK, 2600, , 124, 50
(F7EA4E97B2F39E036AF6E880B2E5CA3EB78332BF8CE82B7585A4CBC7B340FEBDE4862830927
D118D27A1DDE3304478D9A463EBA9BC78E3188217884D5F5EA92F54A6EA2FB62598D1419F003295D
F1C076E48BC6D07058E3B)
Oracle success 3)
Oracle success 4)
300, David, Coffin, DAVID.COFFIN, 800.555.1212, 2010-08-30 00:00:00, SA_REP, 9000.25, .15,
147, 80
Oracle success 5) No data on failed SQL Injection
Oracle success 6) No data on failed SQL Injection
Failed where expected - OK. Need key exchange.
Oracle success 8)
Oracle success 9)
Demonstrating Scenarios
Here is a list in relatively plain English of the scenarios we have demonstrated. There is a lot of code to
accomplish all these different scenarios. The code for each scenario is very similar to some of the other
scenarios, with modifications for the specific demonstration.
We queried the
EMPLOYEES
table and got the
SALARY
and
COMMISSION_PCT
columns
back in encrypted form. For both of these, we print out the decrypted
String
, and
in parentheses, the
stringValue()
of the encrypted
RAW
(unless null). We only
show the first row of
the
ResultSet
.
•
•
We queried the table and got all the columns back in one concatenated
String
, in
encrypted form. We print the decrypted data, and in parentheses, the
stringValue()
of the encrypted
RAW
. Again, we only show the first row.
•
We do an insert or update to the
EMPLOYEES
table, inserting
EMPLOYEE_ID = 300
. If
it already exists, we do an update. At that point, the salary is 9000.25 (now I'm
dreaming).
•
We select a single row from
EMPLOYEES
, requesting data
WHERE EMPLOYEE_ID = 300
.
We attempt to query
EMPLOYEES
through our procedures with a sample SQL
injection string. This fails, and no data is returned.
•
•
We attempt again to query
EMPLOYEES
through our procedures with a sample SQL
injection string, this time transmitted as a
RAW
and only converted when we do the
SELECT
. This also fails, and no data is returned.
•
We can alternately compile
TestOracleJavaSecure
to test resetting the client keys
or resetting the Oracle connection. After that, our attempt to send encrypted data
to Oracle database for insert/update fails, as expected.
We successfully call the
p_get_shared_passphrase
procedure and run the
makeDESKey()
method to complete key exchange.
•
