Oracle 10g version SCOTT users improve DBA permissions!

Oracle 10g SCOTT User Privilege Escalation

Author: Vic reposted, please ensure the integrity of the article)
Sina: http://weibo.com/2052543207/profile
BKJIA: http://niuzu.blog.51cto.com/

One day, I met an ORACLE Server in india. I can see from the remote desktop that this is another work machine under domain control.

650) this. width = 650; "border =" 0 "alt =" "src =" http://img1.51cto.com/attachment/201107/163835946.jpg "/>

Check ORACLE users to obtain the following results:
[-] Loading services/sids from service file
[-] Checking sid (ORCL) for common passwords
[-] Account SCOTT/TIGER found
[-] Enumerating system accounts for SID (ORCL)
[-] Succesfully enumerated 24 accounts
[-] Checking user supplied passwords against sid (ORCL)
[-] Checking user supplied dictionary
[-] Account TKELLY/TKELLY found
[-] Account WEBSCANET1/WEBSCANET1 found
[-] Account MDDATA/MDDATA is locked
[-] Account MDSYS/MDSYS is locked
[-] Account SI_INFORMTN_SCHEMA/SI_INFORMTN_SCHEMA is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account OLAPSYS/OLAPSYS is locked
[-] Account XDB/XDB is locked
[-] Account CTXSYS/CTXSYS is locked
[-] Account EXFSYS/EXFSYS is locked
[-] Account WMSYS/WMSYS is locked
[-] Account TSMSYS/TSMSYS is locked
[-] Account DMSYS/DMSYS is locked
[-] Account DIP/DIP is locked
[-] Account OUTLN/OUTLN is locked
Three users can connect, and all others are LOCKED. Use three users to log on and check the database version 10.2.0.1.0.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF225W-1.jpg "/>

Neither of the three users has the DBA permission,

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF21501-2.jpg "/>

If you cannot call JAVA, you cannot create a WINDOWS user or log on to the Remote Desktop. I decided to connect to the database with TKELLY first, and let's talk about the situation. The database has a USERMASTER table,

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF21627-3.jpg "/>

Literally, the Administrator information is displayed.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF22B9-4.jpg "/>

However, the password is encrypted by 40-bit MD5 and then post for cracking...

You can only improve DBA permissions through ORACLE injection. Because it is difficult to upgrade permissions for versions above 10 Gb, it is not as easy as the 8I or 9I versions, so we found nearly 10 methods on the Internet:
SQL Injection in SYS. LT. COMPRESSWORKSPACETREE
SQL Injection in MDSYS. SDO_TOPO_DROP_FTBL
SQL Injection in SYS. LT. COMPRESSWORKSPACETREE
SQL Injection in SYS. LT. MERGEWORKSPACE
SQL Injection in SYS. LT. REMOVEWORKSPACE
Buffer Overflow in xdb_xdb_pitrig_pkg
PLSQL Injection in xdb_xdb_pitrig_pkg
PLSQL Injection in pitrig_truncate

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF2N09-5.jpg "/>

All of the above methods fail. It is difficult. Only the children's shoes that have actually been used can understand who is trying to know... I am close to the verge of crash... Looking at the remaining statements, we can continue,
When you try SQL Injection in SYS. LT. FINDRICSET with IDS Evasion

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF22144-6.jpg "/>

The prompt is successful. Check the SCOTT user. OK. You have DBA.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF2E47-7.jpg "/>

The most difficult mark is finally passed, and then the JAVA running command is called.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF23113-8.jpg "/>

Create a system TEST user and add it to the Administrator group.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF2OV-9.jpg "/>

In this way, the Remote Desktop is successfully logged on.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF25L8-10.jpg "/>

Use net view to VIEW multiple hosts in the workgroup.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF23W2-11.jpg "/>

As for how to penetrate, the previous blog posts have been written, and we will not repeat them here. After the TEST is completed, exit the desktop and delete the TEST user just created under the ORACLE command line.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0RF2I59-12.jpg "/>

This ORACLE 10g DBA upgrade test was completed.