auxiliary scanners oracle_modplsql_escalate

Author(s):

CG [carnal0wnage]

Description:

Oracle Portal Privilege Escalation. Tries various privilege escalation exploits against oracle portal's that are vulnerable to sql injection in an attempt to escalate the current portal user to DBA

References:

http://www.owasp.org/index.php/Testing_for_Oracle

Module Options:

DAD         portal/                           true       The Database Access Descriptor
INJECTION   PORTAL.WWV_HTP.CENTERCLOSE        true       The vulnerable injection package
PROXYA                                        false      Proxy IP Address
PROXYP                                        false      Proxy Port Number
RURL        http://www.example.com/test.php   true       Target address
URIPATH     /pls/                             true       The URI PATH

Options Explained (Module Specific):

INJECTION -- Vulnerable Injection Package

URIPATH -- Path (before portal).

DAD -- The DAD can change per-site depending on what they've named it OR if they've left the default DAD in. Either way, change if necessary.

Real world example:

Our target is http://vulnoraclesappisembarassingitself.com and it has a DAD at portal. Leave the default setting. If changing, append the '/' after the name change. Example, if changing from portal to portal30,

set DAD portal30/

The same applies for pls only prepend and append. Example,

 set URIPATH /expls/

 set RURL http://vulnoraclesappisembarassingitself.com
 run

Provide feedback

Saved searches

Use saved searches to filter your results more quickly