All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Security
Security
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

SQLSnoop Attack Exploits Database System Views to Intercept Plaintext Passwords Before Hashing

By

HackMoN Ai

25d ago· 7 min readenInsight

Summary

This article details a SQL injection attack technique called "SQLSnoop" that exploits database system views (Oracle's v$sql and PostgreSQL's pg_stat_activity) to capture plaintext passwords even when they are hashed within SQL queries. The attack requires VIEW SERVER STATE permission and works by injecting a loop with DBMS_LOCK.SLEEP to monitor active SQL statements containing password hashing functions like STANDARD_HASH, allowing attackers to intercept the plaintext password before it gets hashed. The article discusses mitigation strategies including revoking unnecessary permissions and restricting access to system views.

Source

bskySQLSnoop Attack Exploits Database System Views to Intercept Plaintext Passwords Before Hashingundercodetesting.com

Key quotes

· 3 pulled
Requires `VIEW SERVER STATE` permission. However, many legacy applications grant this to the web app user.
Both Oracle and PostgreSQL expose active SQL through system views, making them vulnerable.
Oracle's `v$sql` retains completed queries for a short duration, while PostgreSQL's `pg_stat_activity` shows currently running statements.
Snippet from the RSS feed
SQLSnoop Breaks the Hash: How Attackers Steal Plaintext Passwords Even When You Hash Them in SQL + Video - "Undercode Testing": Monitor hackers like a pro.

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.