Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/oracle/xdb_sid.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::HttpClient

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize

12
    super(

13
      'Name' => 'Oracle XML DB SID Discovery',

14
      'Description' => %q{

15
          This module simply makes an authenticated request to retrieve

16
          the sid from the Oracle XML DB httpd server.

17
      },

18
      'References' => [

19
        [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],

20
      ],

21
      'Author' => [ 'MC' ],

22
      'License' => MSF_LICENSE

23
    )

24


25
    register_options(

26
      [

27
        Opt::RPORT(8080),

28
        OptString.new('DBUSER', [ false, 'The db user to authenticate with.', 'scott']),

29
        OptString.new('DBPASS', [ false, 'The db pass to authenticate with.', 'tiger']),

30
      ]

31
    )

32
  end

33


34
  def run_host(ip)

35
    begin

36
      user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}"

37


38
      res = send_request_raw({

39
        'uri' => '/oradb/PUBLIC/GLOBAL_NAME',

40
        'version' => '1.0',

41
        'method' => 'GET',

42
        'headers' =>

43
        {

44
          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"

45
        }

46
      }, 5)

47


48
      if (not res)

49
        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")

50
        return

51
      end

52


53
      if (res.code == 200)

54
        if (not res.body.length > 0)

55
          # sometimes weird bug where body doesn't have value yet

56
          res.body = res.bufq

57
        end

58
        sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)

59
        report_note(

60
          :host	=> ip,

61
          :port => datastore['RPORT'],

62
          :proto	=> 'tcp',

63
          :type	=> 'oracle_sid',

64
          :data	=> { :sid => sid },

65
          :update => :unique_data

66
        )

67
        print_status("Discovered SID: '#{sid}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}")

68
      else

69
        print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")

70
      end

71
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

72
    rescue ::Timeout::Error, ::Errno::EPIPE

73
    end

74
  end

75
end

76


77