Stored Procedure Abuse
What is Stored Procedure Abuse?
Stored Procedure AbuseExploiting privileged or insecure database stored procedures to execute arbitrary SQL, run OS commands, or escalate privileges from the database layer.
Stored procedures encapsulate SQL on the database server and often run with elevated rights. Abuse occurs when an attacker can invoke dangerous built-ins (Microsoft SQL Server's xp_cmdshell, OPENROWSET, sp_OACreate; Oracle's UTL_FILE, DBMS_SCHEDULER; PostgreSQL's COPY ... PROGRAM), or when application-defined procedures concatenate parameters into dynamic SQL via EXEC/sp_executesql without parameter binding, reintroducing SQL injection inside trusted code. Outcomes include OS command execution as the DB service account, lateral movement via linked servers, data exfiltration through file system writes, and bypass of application-layer access controls. Hardening: drop or disable dangerous procedures, run with least privilege, use sp_executesql with typed parameters, and restrict who can EXECUTE.
● Examples
- 01
Using xp_cmdshell after SQL injection on a Microsoft SQL Server to run whoami as the SQL service account.
- 02
Abusing PostgreSQL COPY ... PROGRAM through a custom procedure to spawn a reverse shell.
● Frequently asked questions
What is Stored Procedure Abuse?
Exploiting privileged or insecure database stored procedures to execute arbitrary SQL, run OS commands, or escalate privileges from the database layer. It belongs to the Attacks & Threats category of cybersecurity.
What does Stored Procedure Abuse mean?
Exploiting privileged or insecure database stored procedures to execute arbitrary SQL, run OS commands, or escalate privileges from the database layer.
How does Stored Procedure Abuse work?
Stored procedures encapsulate SQL on the database server and often run with elevated rights. Abuse occurs when an attacker can invoke dangerous built-ins (Microsoft SQL Server's xp_cmdshell, OPENROWSET, sp_OACreate; Oracle's UTL_FILE, DBMS_SCHEDULER; PostgreSQL's COPY ... PROGRAM), or when application-defined procedures concatenate parameters into dynamic SQL via EXEC/sp_executesql without parameter binding, reintroducing SQL injection inside trusted code. Outcomes include OS command execution as the DB service account, lateral movement via linked servers, data exfiltration through file system writes, and bypass of application-layer access controls. Hardening: drop or disable dangerous procedures, run with least privilege, use sp_executesql with typed parameters, and restrict who can EXECUTE.
How do you defend against Stored Procedure Abuse?
Defences for Stored Procedure Abuse typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Stored Procedure Abuse?
Common alternative names include: xp_cmdshell abuse, Dangerous stored procedures.
● Related terms
- attacks№ 1084
SQL Injection
A code-injection attack that smuggles attacker-controlled SQL into a database query, letting the attacker read, modify, or destroy data.
- attacks№ 767
ORM Injection
An injection attack against applications using an Object-Relational Mapper that abuses dynamic queries, mass-assignment, or raw query escape hatches to manipulate data access.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.