CVE-2007-5511

Exploitation Summary

EIP tracks 4 public exploits for CVE-2007-5511. PoCs published by bunker, sh2kerr, CG, including Metasploit module auxiliary/sqli/oracle/lt_findricset_cursor.

AI-analyzed exploit summary This exploit leverages a cursor injection vulnerability in Oracle's SYS.LT.FINDRICSET procedure to grant or revoke DBA privileges to an unprivileged user. It uses DBMS_SQL to execute arbitrary SQL commands without requiring CREATE PROCEDURE privileges.

Description

SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute arbitrary SQL commands via the FINDRICSET procedure in the LT package. NOTE: this is probably covered by CVE-2007-5510, but there are insufficient details to be certain.

Exploits (4)

exploitdb WORKING POC VERIFIED

by bunker · perllocalmultiple

https://www.exploit-db.com/exploits/4571

View Code ZIP pw:eip

This exploit leverages a cursor injection vulnerability in Oracle's SYS.LT.FINDRICSET procedure to grant or revoke DBA privileges to an unprivileged user. It uses DBMS_SQL to execute arbitrary SQL commands without requiring CREATE PROCEDURE privileges.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10g/11g (pre-CPU Oct. 2007)

Auth required

Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by bunker · perllocalmultiple

https://www.exploit-db.com/exploits/4570

View Code ZIP pw:eip

This exploit leverages a vulnerability in Oracle's SYS.LT.FINDRICSET function to grant or revoke DBA privileges to an unprivileged user. It creates an autonomous transaction function to execute the privilege modification, bypassing standard permission checks.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10g Enterprise Edition Release 10.1.0.5.0 and 11g

Auth required

Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by sh2kerr · textlocalmultiple

https://www.exploit-db.com/exploits/4572

View Code ZIP pw:eip

This exploit leverages SQL injection in Oracle 10g's LT.FINDRICSET procedure to execute arbitrary SQL commands, granting DBA privileges to the 'scott' user. It uses base64 encoding to evade IDS detection.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10g (10.1.0.2.0)

Auth required

Prerequisites: Valid Oracle database credentials · Access to execute PL/SQL procedures

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by CG · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in Oracle DB's SYS.LT.FINDRICSET package via an Evil Cursor technique to escalate privileges to DBA. It leverages DBMS_SQL to execute arbitrary SQL commands, tested on Oracle 10.1.0.3.0 through 10.1.0.5.0.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10.1.0.3.0 to 10.1.0.5.0

Auth required

Prerequisites: Valid Oracle DB credentials · Access to execute SQL queries

MITRE ATT&CK