This Metasploit module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique.
ade73cadd101d342c2c6875bb24c4400d6deadc6c7838c15a95008aafaadc320
This is the original ngssoftware's (David Litchfield) exploit presented at blackhat 2003 with modified offsets.
2934de4bc1a2a39fa753b07c7aed7721ca1d6b5bdca6f0a13ab3af13bb340f69
Oracle XDB FTP service UNLOCK buffer overflow exploit.
9e19613c0772392eaf9f901e50037bd1162a139d600f1e7c69b1a0f577c16ba4
A total of 27 vulnerabilities have been patched by Oracle. These affect eBusiness Suite R12.x and 11.5, Apex, Primavera, OBIEE, and Agile DB components. These issues include SQL injection, cross site scripting, XXE injection, SSRF, failed access controls, and more.
1653be97a06d0c2cfb3b03919f6fc2b0e26ba7129144b78467d3acbf64b1587a
The ability to execute arbitrary SQL on Oracle via a SQL injection flaw is hampered by the fact that the Oracle RDBMS will not batch multiple queries. Typically, a low privileged attacker with say only the CREATE SESSION privilege, must find a function they can inject that will allow them to execute a block of anonymous PL/SQL. These are known as auxiliary inject functions. Depending upon the version of Oracle and what components are installed auxiliary inject functions may be few and far between. For example, on Oracle 12c with the internal Java VM removed, there may be none. Indeed, during a recent client assessment the author of this paper was confronted with such a situation: a PL/SQL injection flaw but with no easy method for easy exploitation to gain full control of the database server. This paper presents a method around such a problem using DBMS_XMLSTORE and, co-incidentally, DBMS_XMLSAVE. This method can be used in web-based SQL injection attacks, as well.
42373a43d60cc25c4d8fb1e06e905e8adafeae668b2a402d7121f1232ab9d611
Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure.
8cb488d94f0f24c541295b45894955646b915f06b2bd3f2038f2c4e7aac4422f
This Metasploit module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This Metasploit module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default.
a5520991853dfba840715d948313a5ca0eee49a3177ec837c2761cf043b2c418
Whitepaper called Exploiting PL/SQL Injection With Only CREATE SESSION Privileges In Oracle 11g.
31157f3cb6f553cf34b6e768826f981a7cca2b5b1cc22b2d008070e67dfeea5a
Whitepaper called Hacking Aurora In Oracle 11g.
0feb80641a5561dcb72d5ac33a246623657479f00c1457155b7e072996ee1aa7
By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs.
9d803a65a0fa667c55d0a6301fe1f03824fd821936248035c9472f401cc84910
Oracle 11g has an issue where password history is broken if it is set to use 11g passwords exclusively.
0510af9aad44c7b6b78b30c03316a2131fe500ceabd5a53f4596b48268c0147d
Whitepaper called Bypassing Oracle DBMS_ASSERT (in certain situations). Originally written in July of 2008 but is just being released now.
e6e1d68c71f6151caeb0c9cf0b475ad6bbf96d0a3d4464eca34740718a6b39f8
Oracle suffers from a PL/SQL injection vulnerability in REPCAT_RPC.VALIDATE_REMOTE_RC.
5d4b4629c0dfdd25f1e4105dfc3bdb283c7a29ba838e5cb3f49d18e230721815
NGSSoftware Insight Security Research Advisory - Oracle has just released a fix for a flaw that, when exploited, allows a low privileged authenticated database user to gain MDSYS privileges. This can be abused by an attacker to perform actions as the MDSYS user. MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the Oracle Spatial Application. It is vulnerable to SQL injection. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required.
5121c42e5d2e8b18156a9dd21c0939cd3a695ecc1539eda09d741e19ef556402
Orablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.
c27a3adbdc20b162d44045a32dee98aa4c8cc3e34d7b97443c808d75c9a898ef
Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations.
051ce7024ae89d5e1b9b1e94a3bf3171e5efbdd0947cbd1832b4846b9d8611cf
Follow up information regarding a whitepaper about lateral SQL injection and how ALTER SESSION privileges are not needed.
06ae8157765032c011e169cd19e3c3a5aabdb8d056cd7f0dc04fe33ce633c4c1
NGSSoftware Insight Security Research Advisory - Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.
9b8fadd595dfccce56403731ee006274cd61e8b1f62476460b18211d7135e98e
Lateral SQL Injection: A New Class of Vulnerability in Oracle.
0db673b33010a9aa5626bc5198e1ef07be87e36a1d9a04d25e9c098c2c211bbe
Oracle 11g and 10g have a default password vulnerability during the install process.
9f5760b9411b159e7a5575efdffb65924eed9b9c2af42fc47a84c44578aa8694
NGSSoftware Insight Security Research Advisory - The Oracle XML DB ftp service contains problems with auditing logins.
2639ac2b24b2c8d5133eff124f15167a71fbd4375eea39277529464a214d3dce
NGSSoftware Insight Security Research Advisory - The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of the CPU's time introducing a denial of service condition.
e7b0e95883d2072b1a56b5fdfcf4738223ad9c7c04551753f7ce3368ba5e986c
NGSSoftware Insight Security Research Advisory - The Oracle TNS Listener suffers from denial of service and/or remote memory inspection vulnerabilities. Systems affected include Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9.
2df77d5f0342cb6ee96c1251a4daebb88b481263665cf072ef864d3780bd5b37
NGSSoftware Insight Security Research Advisory - The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges.
5df31c6c9790c218a2a5535198524baba532d40fd776334551174739a7f50ba0
NGSSoftware Insight Security Research Advisory - The Intermedia application, owned by CTXSYS, contains a package called CTX_DOC. This package contains multiple SQL injection flaws.
b9ba2ce84bdcab48f900e299204898570d236d962e46142d20245fc29727b497