CVE-2005-4832

Oracle Database Server 10g - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2005-4832. PoCs published by bunker, Esteban Martinez Fayo, juan vazquez, including Metasploit module auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.

AI-analyzed exploit summary This Perl script exploits CVE-2005-4832 in Oracle Database 9i/10g by leveraging cursor injection in the DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION procedure to grant or revoke DBA privileges without requiring CREATE PROCEDURE privileges. It uses DBD::Oracle to execute malicious SQL commands via an autonomous transaction.

Description

SQL injection vulnerability in the Oracle Database Server 10g allows remote authenticated users to execute arbitrary SQL commands with elevated privileges via the SUBSCRIPTION_NAME parameter in the (1) SYS.DBMS_CDC_SUBSCRIBE and (2) SYS.DBMS_CDC_ISUBSCRIBE packages, a different vector than CVE-2005-1197.

Exploits (5)

exploitdb WORKING POC VERIFIED
by bunker · perlremotemultiple
https://www.exploit-db.com/exploits/3378

This Perl script exploits CVE-2005-4832 in Oracle Database 9i/10g by leveraging cursor injection in the DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION procedure to grant or revoke DBA privileges without requiring CREATE PROCEDURE privileges. It uses DBD::Oracle to execute malicious SQL commands via an autonomous transaction.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 9i/10g (tested on 10.1.0.3.0)
Auth required
Prerequisites: Valid Oracle credentials · Network access to Oracle database · DBD::Oracle Perl module
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by bunker · perlremotemultiple
https://www.exploit-db.com/exploits/25453

This Perl script exploits an SQL injection vulnerability in Oracle's DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION procedure (CVE-2005-4832) to grant or revoke DBA privileges to an unprivileged user. It leverages cursor injection to execute arbitrary SQL commands with SYS privileges.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 9i/10g (specifically 10.1.0.3.0)
Auth required
Prerequisites: Valid Oracle credentials · Network access to Oracle database · DBD::Oracle Perl module · Oracle InstantClient
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by bunker · perlremotewindows
https://www.exploit-db.com/exploits/3364

This exploit leverages a vulnerability in Oracle's DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION to grant or revoke DBA privileges to an unprivileged user. It creates an autonomous transaction function to execute the privilege modification, bypassing standard authorization checks.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 9i/10g (tested on 10.1.0.3.0)
Auth required
Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by bunker · perlremotemultiple
https://www.exploit-db.com/exploits/25452

This Perl script exploits an SQL injection vulnerability in Oracle's DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION procedure (CVE-2005-4832) to grant or revoke DBA privileges to an unprivileged user. It leverages the SUBSCRIPTION_NAME parameter to execute arbitrary PL/SQL statements with SYS privileges.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 9i/10g (tested on 10.1.0.3.0)
Auth required
Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by Esteban Martinez Fayo, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb

This Metasploit module exploits a SQL injection vulnerability in Oracle DB's SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION to escalate privileges to DBA. It creates a malicious function, injects it via the vulnerable package, and cleans up afterward.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4
Auth required
Prerequisites: Valid Oracle DB credentials · Access to execute SQL queries
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/396133
Exploit, Vendor Advisory x_refsource_misc
http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt
Exploit, Vendor Advisory x_refsource_misc
http://www.appsecinc.com/resources/alerts/oracle/2005-02.html
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/404970
Patch, Vendor Advisory x_refsource_confirm
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/13236
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/20159

Scores

EPSS 0.4194
EPSS Percentile 98.5%

Details

Status published
Products (27)
oracle/oracle10g enterprise_9.0.4.0
oracle/oracle10g enterprise_9.0.4_.0
oracle/oracle10g enterprise_10.1.0.2
oracle/oracle10g enterprise_10.1.0.3
oracle/oracle10g enterprise_10.1.0.3.1
oracle/oracle10g enterprise_10.1.0.4
oracle/oracle10g enterprise_10.2.3
oracle/oracle10g personal_9.0.4.0
oracle/oracle10g personal_9.0.4_.0
oracle/oracle10g personal_10.1.0.2
... and 17 more
Published Dec 31, 2005
Tracked Since Feb 18, 2026