This Metasploit module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
91a0457e6fc1353dda1d938850804c7fbf4f3873992700b019c47715d498af97The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
531bca332b7b8919c806ed365e8ad1c5e5000249344fccaf602038718feac7e5This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
47ba8aeb06908edd303259a2080cba7efcaa98f8f66c52b0fa64a15448287fe5This Metasploit module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
f6664ac501c9f358d8d4a9410aab3c277a77640982c29a4ac936ead1bc75e8b3The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
7e5369ebdc4bfc61aa262475859d683b00bf47b5e34f9da7b3872e8242c9834cThis Metasploit module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
27f5ae57e22ed3cfd2e38c06ca48a65e3dfb8c76f9cc56d51d4721d34c60da9cThis Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This Metasploit module has been tested against 9i, 10gR1 and 10gR2.
45e22b08a22f5b9b513570650ac77c9b7cf896df1dddb9d97cc0659722506344This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
345c6446dfe846a011460df72073d8ff0549b8076c977837fb20c1f2ddb07dd3This Metasploit module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
8d3bbc62256bcef0370fd324d79badfe6dada95158c7b728fcf20137808677d2This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
c969f6f19cf659e35b78bffa83fbc8e8694a50647075c02b8636a5ef97eb6c17This Metasploit module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
ccfe06863fa08c66b4bb04f888a3c40c6a7660aa2a9948479455b087d102bc4dThis Metasploit module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
25265a201b6de9b641b309ca9d9e2f86d75f62ec4113d2e80983a1052506dbe8This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.
dc9b1de7a0efe0b6df96fb180a6432e4861fefcaaceb66899e1acdd5821ec707The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
14b30e15660808395b533ff80a789b56b79cedf1bffaa219897f461a53b655dcThe module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
26ed86f78f01db48be7f14a8b9f1b9fec76717709540eee30aa0dfa68088569fThe Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability within the login functionality. As of April 15, 2024 this was still unpatched, so all versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched. Retrieving the victims data may take a long amount of time. It is much quicker to get the logins, then just login to the site.
f7e0d4c8db68c72a070412c58aed2d661337854ce5aff7fbe8948bd051ac28cbThis Metasploit module exploits a SQL injection vulnerability in Joomla versions 3.2 through 3.4.4 in order to either enumerate usernames and password hashes.
eaae704ef831c9b61c537f52feac70b43d16b0f1530f7da0d1cbc1ab16b2435bThis Metasploit module exploits a SQL injection vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options). This Metasploit module has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux.
ff56a843c97fa72711235034adea7c67c06a8967f8acf46b212656cf728ac905This Metasploit module exploits a SQL injection vulnerability in BillQUick Web Suite prior to version 22.0.9.1. The application is .net based, and the database is required to be MSSQL. Luckily the website gives error based SQLi messages, so it is trivial to pull data from the database. However the webapp uses an unknown password security algorithm. This vulnerability does not seem to support stacked queries. This Metasploit module pulls the database name, banner, user, hostname, and the SecurityTable (user table).
d8cefad10acdca162e64259d0c38c3ba88805f7a520f39ce7f23d5c73f4b4074The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied data in the total_service parameter of the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), prior to using it in a dynamically constructed SQL query. As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive data from the backend database such as usernames and password hashes. This Metasploit module uses this vulnerability to dump the list of WordPress users and their associated email addresses and password hashes for cracking offline.
29ecfa5e38864b30d4aa9450311eb83d8df5628e2fbd5acbfcbc4a942cf3b816This Metasploit module enables an authenticated user to collect the usernames and encrypted passwords of other users in the Dolibarr ERP/CRM via SQL injection.
bf3ca1e9d4350740c01f5818654eeda12704172d96dbfb16f499f0d5e56d58aaThis Metasploit module uses a blind SQL injection (CVE-2020-5724) affecting the Grandstream UCM62xx IP PBX to dump the users table. The injection occurs over a websocket at the websockify endpoint, and specifically occurs when the user requests the challenge (as part of a challenge and response authentication scheme). The injection is blind, but the server response contains a different status code if the query was successful. As such, the attacker can guess the contents of the user database. Most helpfully, the passwords are stored in cleartext within the user table (CVE-2020-5723). This issue was patched in Grandstream UCM62xx IP PBX firmware version 1.20.22.
204edd5f46dc100421611af4e2893d13a1a61846015d99b935feb39ee0afa10aVersions 1.2.13 through 1.2.16 are vulnerable to a SQL injection attack if an attacker can gain access to administrative credentials. This vuln was fixed in 1.2.17.
320419705ca13a1bfcafc3cda1ab534c90225edc3090390aa620b065772e9291AlienVault 4.5.0 is susceptible to an authenticated SQL injection attack via a PNG generation PHP file. This Metasploit module exploits this to read an arbitrary file from the file system. Any authenticated user is able to exploit it, as administrator privileges aren't required.
8ebaffc716eedd5e4b8b8c7e5043252a757d480ee4bddd7781480547382b3917Firmware versions up to 7.0.0-build1904 of Peplink Balance routers are affected by an unauthenticated SQL injection vulnerability in the bauth cookie, successful exploitation of the vulnerability allows an attacker to retrieve the cookies of authenticated users, bypassing the web portal authentication. By default, a session expires 4 hours after login (the setting can be changed by the admin), for this reason, the module attempts to retrieve the most recently created sessions.
b41d992081cc2b6eb2a8f48d7b8d7bae6acdc73882499f0a6250e5da83246835
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed