Oracle Portal for Friends

Oracle 10g Application Server till 10.1.2 .1.0 remote exploiting of what described in:

This example makes use of injection in ORASSO.HOME but these path also work:

  • JAVA_AUTONOMOUS_TRANSACTION.PUSH
  • XMLGEN.USELOWERCASETAGNAMES
  • PORTAL.WWV_HTP.CENTERCLOSE
  • ORASSO.HOME
  • WWC_VERSION.GET_HTTP_DATABASE_INFO

Information gathering

View current user (should be ORASSO_PUBLIC)

View roles of current user

View full users list

View the IP address of the database server

View the hostname of the database server

Exploiting

The user ORASSO_PUBLIC has really not much privileges and cannot create procedures, functions or packages so you can use only few exploits to elevate his privileges.

Another way is to use cursors to exploit common vulnerabilities without creating packages or functions.

Exploit #1 to grant DBA to current user (Oracle10g R1 and R2 prior to CPU Oct 2006) (an error is returned, but it works anyway!). It does not need to create packages.

Exploit #2 (ab)using SYS.KUPW$WORKER.MAIN to execute commands as DBA

http://www.milw0rm.com/exploits/3584

Create user PENTEST identified by PEN123TEST.

Obviously this works only if you granted dba to orasso_public.

Give some specific, java related, grants to user PENTEST.

These privileges are needed if you do not wont to use java to execute O.S. commands and read/write the underlying file system using raptor_oraexec.sql

http://0xdeadbeef.info/exploits/raptor_oraexec.sql

Create a backdoor package that can works also if the vulnerability is patched.

The package is owned by SYS so each issued command is executed like SYSDBA.

Grant public execute to the backdoor package.

Creating a public synonym can be useful to run the backdoor bypassing mod_pl/sql blacklist.(be sure to not use a forbidden word to name the synonym, like sys,owa,system,etc…).

Use this syntax to execute commands as SYSDBA through the backdoor (yes, it works via http too 🙂 .

This is a java procedure to access the file system and execute os commands (raptor_oraexec.sql). You can run it on a single command line or just cut & paste as it is.

Let´s create 3 different procedures to use the prior java source and execute command, read files, write files.

Execute commands

Read files

Write (append) a files

Use the dbms_java.grant_permission stored procedure to give read,write,execute on file system (/) to the user PENTEST

Give public execute grant to the new stored procedures oraexec.*

Here we go, let´s run some os command (remember to use full paths).