vendor:
Oracle Database Server
by:
Alexandr "Sh2kerr" Polyakov
N/A
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Oracle Database Server
Affected Version From: Oracle 10.1.0.2.0
Affected Version To: Oracle 10.1.0.2.0
Patch Exists: NO
Related CWE:
CPE: oracle:database_server:10.1.0.2.0
Platforms Tested:
2007
Oracle 10g LT.FINDRICSET SQL Injection Exploit
This exploit allows an attacker to grant DBA privileges to the scott user using evil cursor injection. No 'create procedure' privilege is needed. The exploit also includes funny IDS evasion with base64 encoding.
Mitigation:
To mitigate this vulnerability, ensure that all user input is properly validated and sanitized before being used in SQL queries. Also, limit the privileges of database users to minimize the potential impact of SQL injection attacks.