Path: blob/master/modules/auxiliary/scanner/oracle/sid_enum.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::TNS7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Oracle TNS Listener SID Enumeration',15'Description' => %q{16This module simply queries the TNS listener for the Oracle SID.17With Oracle 9.2.0.8 and above the listener will be protected and18the SID will have to be bruteforced or guessed.19},20'Author' => [ 'CG', 'MC' ],21'License' => MSF_LICENSE,22'DisclosureDate' => '2009-01-07',23'Notes' => {24'Reliability' => UNKNOWN_RELIABILITY,25'Stability' => UNKNOWN_STABILITY,26'SideEffects' => UNKNOWN_SIDE_EFFECTS27}28)29)3031register_options(32[33Opt::RPORT(1521)34]35)36end3738def run_host(ip)39begin40connect4142pkt = tns_packet("(CONNECT_DATA=(COMMAND=STATUS))")4344sock.put(pkt)4546select(nil, nil, nil, 0.5)4748data = sock.get_once4950if (data and data =~ /ERROR_STACK/)51print_error("TNS listener protected for #{ip}...")52else53if (not data)54print_error("#{ip} Connection but no data")55else56sid = data.scan(/INSTANCE_NAME=([^\)]+)/)57sid.uniq.each do |s|58report_note(59:host => ip,60:port => rport,61:type => "oracle_sid",62:data => {63:port => rport,64:sid => s65},66:update => :unique_data67)68print_good("Identified SID for #{ip}:#{rport} #{s}")69end70service_name = data.scan(/SERVICE_NAME=([^\)]+)/)71service_name.uniq.each do |s|72report_note(73:host => ip,74:port => rport,75:type => "oracle_service_name",76:data => {77:port => rport,78:service_name => s79},80:update => :unique_data81)82print_status("Identified SERVICE_NAME for #{ip}:#{rport} #{s}")83end84end85end86disconnect87rescue ::Rex::ConnectionError88rescue ::Errno::EPIPE89end90end91end929394