Skip to content

auxiliary scanners oracle_portal_runcmd

cktricky edited this page Apr 18, 2011 · 5 revisions

Author(s):

CG [carnal0wnage]

Description:

Oracle Portal Privilege Escalation. Tries various privilege escalation exploits against oracle portal's that are vulnerable to sql injection in an attempt to escalate the current portal user to DBA

References:

http://www.owasp.org/index.php/Testing_for_Oracle

Module Options:

COMMAND     ipconfig                          true       The command to run
DAD         portal/                           true       The Database Access Descriptor
INJECTION   PORTAL.WWV_HTP.CENTERCLOSE        true       The vulnerable injection package
JAVASETUP   true                              true       Set up java libs and command function
PROXYA                                        false      Proxy IP Address
PROXYP                                        false      Proxy Port Number
RURL        http://www.example.com/test.php   true       Target address
URIPATH     /pls/                             true       The URI PATH
VERIFY      true                              true       Verify URL and DBA Status

Options Explained (Module Specific):

INJECTION -- Vulnerable Injection Package

URIPATH -- Path (before portal).

DAD -- The DAD can change per-site depending on what they've named it OR if they've left the default DAD in. Either way, change if necessary.

VERIFY -- If set to true, will verify URL & DBA status

JAVASETUP -- Inject Java specific commands

COMMAND -- The command you'd like to run on the remote server

Real world example:

Our target is http://vulnoraclesappisembarassingitself.com and it has a DAD at portal. Leave the default setting. If changing, append the '/' after the name change. Example, if changing from portal to portal30,

set DAD portal30/

The same applies for pls only prepend and append. Example,

set URIPATH /expls/

We'd like to run the command 'ls'

set COMMAND ls
set RURL http://vulnoraclesappisembarassingitself.com
run
Clone this wiki locally