[dbsec] Re: Oracle Security
- From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
- To: <dbsec@xxxxxxxxxxxxx>
- Date: Sat, 12 Aug 2006 20:12:15 +0100
Dave,
I'll respond to you offlist.
Cheers,
David
----- Original Message -----
From: "Hull, Dave" <dphull@xxxxxx>
To: <dbsec@xxxxxxxxxxxxx>; <dbsec@xxxxxxxxxxxxx>
Sent: Saturday, August 12, 2006 7:05 PM
Subject: [dbsec] Re: Oracle Security
Thanks David. I've tried using the DBMS_EXPORT_EXTENSION injection
techniques to grant myself dba. I get an empty result set when the query
runs. Show errors doesn't return anything, but I'm unable to set my role to
dba and select * from session_privs doesn't show any new privileges.
I've tried the same injection, but with grant create trigger to myself and
don't have any luck with that either.
Here's the injection I've been trying, which is lifted straight from the
course materials:
execute immediate ''declare pragma autonomous_transaction; begin execute
immediate ''''grant dba to user'''' ; end;''; END;--'
Still no joy.
Again, thanks for your help.
________________________________
From: dbsec-bounce@xxxxxxxxxxxxx on behalf of David Litchfield
Sent: Sat 8/12/2006 3:20 AM
To: dbsec@xxxxxxxxxxxxx
Subject: [dbsec] Re: Oracle Security
Hi Dave,
Many of the exploits we were shown relied on
creating procedures or triggers
At the course I spoke about DBMS_EXPORT_EXTENSION being the holy grail of
Oracle SQL injection... This little package can be used do anything you want
as a DBA in all versions of Oracle from 10gR2 back to 8.1.7 (and probably
earlier). HTH.
Cheers,
David
----- Original Message -----
From: "Hull, Dave" <dphull@xxxxxx>
To: <dbsec@xxxxxxxxxxxxx>
Sent: Saturday, August 12, 2006 5:13 AM
Subject: [dbsec] Oracle Security
I was a student in David Litchfield's Breakable course at Black Hat Training
this year. It was a great class and we learned numerous techniques for
elevating our privileges from a relatively non-privileged user to DBA.
I'm back at work now trying to determine our vulnerability level and so far
I've been stumped at every turn. I went to our DBAs and asked them to give
me an account on a test system. They asked me what rights I wanted and I
told them nothing special.
What I have is:
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
ALTER SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
CREATE DATABASE LINK
8 rows selected.
SQL>
Many of the exploits we were shown relied on creating procedures or
triggers. Naturally, I don't have sufficient rights to go down that path.
I've spent the better half of the day today reading all he docs I can find
to look for other methods. I've tried most of the default username/password
lists that I can find and that too is a dead end.
I suspect there's something I'm missing and was wondering if anyone on the
list could point me in a new direction.
Thanks in advance.
Other related posts:
