Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
Rank
- Normal
Authors
- Sh2kerr < research[ad]dsec.ru >
Vulnerability References
Development
Similar Modules
- auxiliary/sqli/oracle/dbms_cdc_ipublish
- auxiliary/sqli/oracle/dbms_cdc_publish
- auxiliary/sqli/oracle/dbms_cdc_publish2
- auxiliary/sqli/oracle/dbms_cdc_publish3
- auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription
- auxiliary/sqli/oracle/dbms_export_extension
- auxiliary/sqli/oracle/dbms_metadata_get_granted_xml
- auxiliary/sqli/oracle/dbms_metadata_get_xml
- auxiliary/sqli/oracle/dbms_metadata_open
- auxiliary/sqli/oracle/jvm_os_code_10g
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/sqli/oracle/droptable_trigger
msf auxiliary(droptable_trigger) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/sqli/oracle/droptable_trigger
msf auxiliary(droptable_trigger) > run
Module Options
| FILENAME | The file name. (default: msf.sql) |
| OUTPUTPATH | The location of the file. (default: ./data/exploits/) |
| SQL | The SQL to execute. (default: GRANT DBA TO SCOTT) |
| USER | The current user. (default: SCOTT) |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |