CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Remote::HttpClient
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name'        => 'Oracle XML DB SID Discovery',
14
      'Description' => %q{
15
          This module simply makes an authenticated request to retrieve
16
          the sid from the Oracle XML DB httpd server.
17
      },
18
      'References'  =>
19
        [
20
          [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
21
        ],
22
      'Author'      => [ 'MC' ],
23
      'License'     => MSF_LICENSE
24
    )
25

26
    register_options(
27
        [
28
          Opt::RPORT(8080),
29
          OptString.new('DBUSER', [ false, 'The db user to authenticate with.',  'scott']),
30
          OptString.new('DBPASS', [ false, 'The db pass to authenticate with.',  'tiger']),
31
        ])
32
  end
33

34
  def run_host(ip)
35
    begin
36

37
      user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}"
38

39
      res = send_request_raw({
40
        'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',
41
        'version' => '1.0',
42
        'method'  => 'GET',
43
        'headers' =>
44
        {
45
          'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
46
        }
47
      }, 5)
48

49
        if( not res )
50
          vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")
51
          return
52
        end
53

54
        if (res.code == 200)
55
          if (not res.body.length > 0)
56
          # sometimes weird bug where body doesn't have value yet
57
            res.body = res.bufq
58
          end
59
          sid = res.body.scan(/<GLOBAL_NAME>(\S+)<\/GLOBAL_NAME>/)
60
            report_note(
61
              :host	=> ip,
62
              :port => datastore['RPORT'],
63
              :proto	=> 'tcp',
64
              :type	=> 'oracle_sid',
65
              :data	=> sid,
66
              :update => :unique_data
67
            )
68
          print_status("Discovered SID: '#{sid}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}")
69
        else
70
          print_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")
71
        end
72
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
73
    rescue ::Timeout::Error, ::Errno::EPIPE
74
    end
75
  end
76
end
77

78