[dbsec] Re: Oracle Security

Thanks David. I've tried using the DBMS_EXPORT_EXTENSION injection techniques 
to grant myself dba. I get an empty result set when the query runs. Show errors 
doesn't return anything, but I'm unable to set my role to dba and select * from 
session_privs doesn't show any new privileges.
 
I've tried the same injection, but with grant create trigger to myself and 
don't have any luck with that either.
 
Here's the injection I've been trying, which is lifted straight from the course 
materials:
 
execute immediate ''declare pragma autonomous_transaction; begin execute 
immediate ''''grant dba to user'''' ; end;''; END;--'
 
Still no joy.
 
Again, thanks for your help.

________________________________

From: dbsec-bounce@xxxxxxxxxxxxx on behalf of David Litchfield
Sent: Sat 8/12/2006 3:20 AM
To: dbsec@xxxxxxxxxxxxx
Subject: [dbsec] Re: Oracle Security



Hi Dave,

>Many of the exploits we were shown relied on
> creating procedures or triggers

At the course I spoke about DBMS_EXPORT_EXTENSION being the holy grail of
Oracle SQL injection... This little package can be used do anything you want
as a DBA in all versions of Oracle from 10gR2 back to 8.1.7 (and probably
earlier). HTH.

Cheers,
David



----- Original Message -----
From: "Hull, Dave" <dphull@xxxxxx>
To: <dbsec@xxxxxxxxxxxxx>
Sent: Saturday, August 12, 2006 5:13 AM
Subject: [dbsec] Oracle Security


I was a student in David Litchfield's Breakable course at Black Hat Training
this year. It was a great class and we learned numerous techniques for
elevating our privileges from a relatively non-privileged user to DBA.

I'm back at work now trying to determine our vulnerability level and so far
I've been stumped at every turn. I went to our DBAs and asked them to give
me an account on a test system. They asked me what rights I wanted and I
told them nothing special.

What I have is:
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
ALTER SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
CREATE DATABASE LINK
8 rows selected.
SQL>

Many of the exploits we were shown relied on creating procedures or
triggers. Naturally, I don't have sufficient rights to go down that path.
I've spent the better half of the day today reading all he docs I can find
to look for other methods. I've tried most of the default username/password
lists that I can find and that too is a dead end.

I suspect there's something I'm missing and was wondering if anyone on the
list could point me in a new direction.

Thanks in advance.

Other related posts: